US20220164464A1 - Control system, method, and control device - Google Patents
Control system, method, and control device Download PDFInfo
- Publication number
- US20220164464A1 US20220164464A1 US17/434,189 US202017434189A US2022164464A1 US 20220164464 A1 US20220164464 A1 US 20220164464A1 US 202017434189 A US202017434189 A US 202017434189A US 2022164464 A1 US2022164464 A1 US 2022164464A1
- Authority
- US
- United States
- Prior art keywords
- members
- data
- memory card
- plc
- devices
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 61
- 238000012795 verification Methods 0.000 claims abstract description 136
- 230000000717 retained effect Effects 0.000 claims abstract description 55
- 238000010586 diagram Methods 0.000 description 26
- 230000006870 function Effects 0.000 description 20
- 238000012545 processing Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003449 preventive effect Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/05—Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
- G05B19/058—Safety, monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/10—Plc systems
- G05B2219/14—Plc safety
- G05B2219/14006—Safety, monitoring in general
Definitions
- This disclosure relates to a control system, a method and a control device, more particularly to a control system, a method and a control device for use in controlling access to data in a device group including a plurality of devices that are configured to communicate with each other.
- control systems including control devices, for example, programmable logic controllers (hereinafter, may be referred to as “PLC”).
- PLC programmable logic controllers
- data stored in removable storage media are often used in such control systems for system recovery or update of programs and/or data.
- Japanese Patent Laying-Open No. 2011-215814 (patent literature 1) describes a backup and restoration system operable to backup or restore set values of target parameters in communication devices using a backup and restoration unit connected to the programmable logic controller (PLC).
- PLC programmable logic controller
- backup data stored in a removable storage medium, such as a memory card is used to restore various pieces of data.
- data may be often stored in removable storage media and accessed from devices including PLC whenever necessary, as in the backup and restoration system described in the patent literature 1.
- removable storage media that users can easily carry with them are very user-friendly.
- Such media that involve the risk of being stolen may raise certain concerns about security.
- An example of typical theft preventive measures may be access control through individual authentication using host devices authorized beforehand for the respective storage media.
- the media in practical use, may not always be inserted in the authorized host devices.
- this disclosure is directed to providing a technology that can offer enhanced security without compromising user-friendliness in data accesses to removable storage media.
- An aspect of this disclosure provides a control system configured to control access to data in a device group, the device group includes a plurality of devices, and the plurality of devices are configured to communicate with one another.
- the control system includes a first device included in the plurality of devices and configured to receive, in a removable manner, a storage medium in which data is storable, and one or a plurality of second devices included in the plurality of devices.
- Each of members of the plurality of devices and the storage medium includes: a storage region configured to retain a list including relevant information associated with each of the members; and a verifying unit configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members.
- the first device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the first device satisfies a predetermined condition.
- any members included in the members but the first device verify the relevant information, and it is not until results of the verification satisfy a predetermined condition that the data stored in the storage medium becomes accessible. This may offer an improved level of security while ensuring user-friendliness in accesses to the data stored in the removable storage medium.
- the first device includes a reader including a concealed logic for exclusive use, and the storage medium is configured to permit access from the reader alone.
- control system thus characterized in that the storage medium can only be accessed from the reader of the first device including the concealed logic for exclusive use, a higher level of security may be ensured in data accesses to the removable storage medium.
- the relevant information includes a serial number for identification of each of the members
- the verifying unit verifies the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members.
- control system thus characterized in that the data stored in the storage medium can only be accessed after a predetermined condition is satisfied by a result of the verification of the serial number used to identify each member. This may offer even a higher degree security in data accesses to the removable storage medium.
- the relevant information includes a model code of each of the members
- the verifying unit verifies the model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members.
- the data stored in the storage medium can only be accessed after a predetermined condition is satisfied by a result of the verification of the model code of each member.
- accesses to the data stored in the storage medium may be enabled for the members of the same model code having different serial numbers. This may ensure a good balance between user-friendliness and better security in data accesses to the removable storage medium.
- the control system disclosed herein further includes a support device configured to support the device group.
- the relevant information includes a serial number used to individually identify each of the members and a model code of each of the members.
- the verifying unit includes: a first verifying unit configured to verify the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members; and a second verifying unit configured to verify model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members.
- the support device provides a user interface configured to select the first verifying unit or the second verifying unit.
- control system thus characterized in that a user is allowed to select, using the support device, which one of the following is desirably verified; serial numbers used to individually identify the members, and model codes of the members.
- the control system may be successfully built in a suitable manner for a level of security required of the system.
- the control system disclosed herein further includes a support device configured to support the device group.
- the support device provides a user interface configured to set a number of any members included in the members but the first device to be verified by the verifying unit.
- control system thus characterized in that a user is allowed to set, using the support device, the number of members to be verified.
- the control system may be successfully built in a suitable manner for a level of security required of the system.
- the control system disclosed herein further includes a support device configured to support the device group.
- the support device provides a user interface configured to set a range of applicable members among the members.
- control system thus characterized in that a user is allowed to set, using the support device, a range of applicable members.
- the control system may be successfully built in a suitable manner for a level of security required of the system.
- Another aspect of this disclosure provides a method for controlling access to data in a device group
- the device group includes a plurality of devices, and the plurality of devices are configured to communicate with one another.
- the plurality of devices include a first device configured to receive, in a removable manner, a storage medium in which data is storable, and one or a plurality of second devices.
- Each of members of the plurality of devices and the storage medium includes a storage region configured to retain a list including relevant information associated with each of the members.
- the method includes: prompting each of the members to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members; and enabling the first device to access the data stored in the storage medium when a result of verification obtained by each of the other members but the first device satisfies a predetermined condition.
- any members included in the members but the first device verify the relevant information, and it is not until results of the verification satisfy a predetermined condition that the data stored in the storage medium becomes accessible. This may offer an improved level of security while ensuring user-friendliness in accesses to the data stored in the removable storage medium.
- control device configured to control access to data and included in a device group, the device group has a plurality of devices, and the plurality of devices are configured to communicate with one another.
- the control device includes a receiving portion configured to receive, in a removable manner, a storage medium in which data is storable.
- Each of members of the plurality of devices and the storage medium includes: a storage region configured to retain a list containing relevant information associated with each of the members; and a verifying unit configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members.
- the control device is configured to access the data stored in the storage medium when a result of the verification obtained by the verifying unit of each of the other members but the control device satisfies a predetermined condition.
- any members included in the members but the first device verify the relevant information, and it is not until results of the verification satisfy a predetermined condition that the data stored in the storage medium becomes accessible. This may offer an improved level of security while ensuring user-friendliness in accesses to the data stored in the removable storage medium.
- FIG. 1 is a diagram that schematically illustrates a control system according to embodiments of this disclosure.
- FIG. 2 is a block diagram that schematically illustrates exemplified hardware components of a PLC and a memory card configuration according to the embodiments.
- FIG. 3 is a block diagram that schematically illustrates exemplified hardware components of a unit according to the embodiments.
- FIG. 4 is a block diagram that schematically illustrates exemplified hardware components of a support device according to the embodiments.
- FIG. 5 is a diagram that schematically illustrates an exemplified serial verification when data is duly accessed in a control system according to the embodiments.
- FIG. 6 is a diagram that schematically illustrates an example of serial verification assessment in the control system according to the embodiments.
- FIG. 7 is a diagram that schematically illustrates an exemplified serial verification when data is unduly accessed in the control system according to the embodiments.
- FIG. 8 is a diagram that schematically illustrates an exemplified model verification when data is duly accessed in the control system according to the embodiments.
- FIG. 9 is a diagram that schematically illustrates an example of model verification assessment in the control system according to the embodiments.
- FIG. 10 is a diagram that schematically illustrates an exemplified model verification when data is unduly accessed in the control system according to the embodiments.
- FIG. 11 is a diagram that schematically illustrates an exemplified setting screen of the support device according to the embodiments.
- FIG. 12 is a sequence diagram that illustrates an exemplified access authentication process using the serial verification executed in the control system according to the embodiments.
- FIG. 13 is a sequence diagram that illustrates an exemplified access authentication process using the model verification executed in the control system according to the embodiments.
- FIG. 1 is a diagram that schematically illustrates an exemplified case to which a control system 1 is applicable.
- control system 1 according to embodiments of this disclosure includes a device group including a plurality of devices that are allowed to communicate with one another.
- the “device” may refer a target element to be controlled that constitutes control system 1 , and programs, configuration settings and parameters required of computations for control may be generated and managed per each device.
- the “device” may typically encompass in its scope a programmable logic controller (PLC) which is a processing entity in charge of executing a control program (which may include sequence control and motion control), and peripheral devices connected to the PLC.
- PLC programmable logic controller
- the peripheral device may typically be a device that transmits and receives, to and from targets to be controlled, input and output data handled in the PLC. Specific examples of the peripheral device may include unit, slave device and coupler unit.
- control system 1 includes the following devices; a programmable logic controller (PLC) 100 , and a plurality of units 200 - 1 , 200 - 2 , 200 - 3 and 200 - 4 (hereinafter, may be collectively referred to as “units 200 ”) connectable to the PLC 100 in a manner that these units are allowed to communicate with the PLC.
- PLC 100 is presented an example of the “first device”, and units 200 are presented as an example of the “second device”.
- the “first device” and the “second device” may be any one of such devices as PLC, unit, slave device, and coupler unit.
- unit 200 - 1 is disposed in a slot 2 (Unit 1 in the drawing)
- unit 200 - 2 is disposed in a slot 3 (Unit 2 in the drawing)
- unit 200 - 3 is disposed in a slot 4 (Unit 3 in the drawing)
- unit 200 - 4 is disposed in a slot 5 (Unit 4 in the drawing).
- These units 200 - 1 to 200 - 4 are connected to PLC 100 through a local bus 4 and are thereby allowed to communicate with PLC 100 .
- Control system 1 further includes a support device 400 configured to support the device group.
- Support device 400 is in charge of developing and managing control programs executed in the devices of control system 1 and parameters required of this system.
- PLC 100 is equipped with a USB (Universal Serial Bus) connector 105 connectable to and allowed to communicate with support device 400 . Any programs and parameters for settings developed by support device 400 are transferred (downloaded) through USB connector 105 into PLC 100 and units 200 by way of a network 2 .
- USB Universal Serial Bus
- Control system 1 thus configured is loaded with functions for system recovery and update of data and programs in which the data stored in removable storage media is used.
- PLC 100 has a memory card interface 103 which receives memory card 300 in a removable manner. The data can be acquired by accessing memory card 300 mounted to memory card interface 103 .
- Memory card interface 103 is an example of the “receiving portion”.
- a specific use of this memory card interface may be backup and recovery of the system.
- a user may store and save, in memory card 300 , pieces of data used in the devices through memory card interface 103 .
- the device if it breaks down, may be replaced with a new device, and the data saved and stored in memory card 300 (hereinafter, may be referred to as “backup data”) may be reloaded in the new device.
- This process may also be referred to as “restoration”.
- the backup data may typically be used to fix any bugs and errors of control system 1 .
- Memory card 300 described herein as an example of the “storage medium” may be selected from any removable memory cards such as SD (Secure Digital) cards.
- Other examples of the “storage medium” may include any removable storage media such as USB memory, compact flash (registered trademark) and memory stick.
- the “data” stored in the storage medium may include the backup data described earlier, programs and parameters used in the devices, and log data and trace data obtained by the devices.
- the backup data may be stored in removable memory card 300 to invite the devices, for example, PLC 100 , to access the stored data, whenever necessary.
- removable memory card 300 that users can easily carry with them is thus very user-friendly.
- removable medium that involves the risk of being stolen may raise certain concerns about security.
- An example of typical theft preventive measures may be access control through individual authentication using a host device(s) authorized beforehand for memory card 300 . In the FA (factory automation)-related fields, however, memory card 300 , in practical use, may not always be inserted in such an authorized host device.
- control system 1 is provided with a technology that may ensure a higher level of security without compromising user-friendliness in data accesses to the data in removable memory card 300 .
- control system 1 is so configured that, in case memory card 300 inserted in a particular device of the device group fails to authenticate the device loaded with memory card 300 , this particular device is enabled to access the data in memory card 300 , insofar as consistency is determined among configurations of the other devices of the device group currently interconnected. This technical feature is hereinafter described in detail.
- memory card 300 and the devices including PLC 100 and units 200 - 1 to 200 - 4 may be each referred to as “member”.
- the members each include a storage region in which a list containing pieces of relevant information associated with the members is retainable.
- the “relevant information” may be any information that can be used to identify each member.
- the relevant information may include model codes (Model in the drawing) and serial numbers (Serial in the drawing).
- the “model code” represents a model that allows each member to be distinguished from the other members based on differences in structure, facility and outer shape.
- the “serial number” represents a number that can be used to individually identify each member, an example of which may be a unique production number assigned to each product to be shipped out. The serial number is typically unique to each member, which may avoid the risk of different serial numbers being redundantly used among the members.
- the model codes are respectively assigned to specific models of products, which may possibly be shared among some of the members.
- “A” as model code and “a” as serial number are assigned to this device.
- “B” as model code and “b” as serial number are assigned to this device.
- “B” as model code and “c” as serial number are assigned to this device.
- “C” as model code and “d” as serial number are assigned to this device.
- “C” as model code and “e” as serial number are assigned to this device.
- Memory card 300 retains a list 300 L
- PLC 100 retains a list 100 L
- units 200 - 1 to 200 - 4 respectively retain lists 200 - 1 L to 200 - 4 L. These lists are prepared by support device 400 and transferred into the devices. These lists are also retained in memory card 300 by way of support device 400 or PLC 100 .
- list 300 L contains the model codes (Model) and the serial numbers (Serial) assigned to slots 1 to 5 and also contains the model code (Model) and the serial number (Serial) of memory card 300 .
- Model model codes
- Serial serial numbers
- Model model code
- Serial serial number
- list 300 L illustrated in FIG. 1 have the same contents as those of list 100 L retained by PLC 100 and of lists 200 - 1 L to 200 - 4 L retained by units 200 - 1 to 200 - 4 .
- the members are configured to verify pieces of relevant information associated with and obtained from the other members against pieces of relevant information associated with the other members and included in the lists retained by the other members.
- memory card 300 verifies the model codes and the serial numbers of and obtained from the other members (PLC 100 , units 200 ) against the model codes and the serial numbers of the other members (PLC 100 , units 200 ) included in the list currently retained by memory card 300 to determine consistency or inconsistency between these pieces of relevant information of the other members (PLC 100 , units 200 ) obtained from the different sources.
- PLC 100 verifies the model codes and the serial numbers of and obtained from the other members (memory card 300 , unit 200 ) against the model codes and the serial numbers of the other members (memory card 300 , unit 200 ) included in the list currently retained by PLC 100 to determine consistency or inconsistency between these pieces of relevant information of the other members (memory card 300 , unit 200 ) obtained from the different sources.
- units 200 verify the model codes and the serial numbers of and obtained from the other members (memory card 300 , PLC 100 , other units 200 ) against the model codes and the serial numbers of the other members (memory card 300 , PLC 100 , other units 200 ) included in the lists currently retained by units 200 to determine consistency or inconsistency between these pieces of relevant information of the other members (memory card 300 , PLC 100 , other units 200 ) obtained from the different sources.
- predetermined condition may be optionally selected from any conditions under which the data stored in memory card 300 is accessible in view of security.
- memory card 300 When, for example, memory card 300 is inserted in PLC 100 , the members currently on the system are verified by any members included in the members but PLC 100 (memory card 300 , unit 200 ) based on the lists retained by the members except PLC 100 . Then, accesses by PLC 100 to the data stored in memory card 300 are enabled, insofar as the degree of consistency between results of verification by the members is greater than a certain value.
- control system 1 when memory card 300 is received by PLC 100 , the data stored in memory card 300 only becomes accessible after a predetermined condition is satisfied by results of verification of the relevant information by any members included in the members but PLC 100 (memory card 300 , units 200 ). This may ensure a higher level of security without compromising user-friendliness in accesses to the data stored in removable memory card 300 .
- control system 1 hardware components and configurations of the devices included in control system 1 are hereinafter described.
- FIG. 2 is a block diagram that schematically illustrates exemplified hardware components of PLC 100 and an exemplified configuration of memory card 300 according to the embodiments.
- PLC 100 includes a processor 102 , a main memory 104 , a storage 106 , a network controller 108 and a memory card interface 113 . These components are interconnected through a processor bus 130 .
- Processor 102 is a computing unit configured to execute computations for control, and elements constituting this processor include a CPU (Central Processing Unit) and a GPU (Graphics Processing Unit). Specifically, processor 102 reads programs stored in storage 106 (for example, control program 140 , system program 1060 , restoration program 1065 ) and then expands and runs the read programs on main memory 104 , so that predetermined processes for control are executed.
- programs stored in storage 106 for example, control program 140 , system program 1060 , restoration program 1065 .
- FIG. 2 is presented an example in which functions required of PLC 100 are offered by prompting processor 102 to run predetermined programs. Instead, the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA).
- a dedicated hardware circuit for example, ASIC or FPGA.
- Main memory 104 may include a volatile storage device, for example, DRAM (Dynamic Random Access Memory) or SRAM (Static Random Access Memory).
- Storage 106 may include a non-volatile storage device(s), for example, HDD (Hard Disk Drive) and/or SSD (Flash Solid State Drive).
- system program 1060 that enables basic functions, a control program 140 developed correspondingly to a target to be controlled, for example, facility or machinery, and a restoration program 1065 used to restore PLC 100 .
- Network controller 108 transmits and receives data to and from optional information processors including support device 400 through network 2 .
- Memory card interface 113 is an interface for exclusive use with memory card 300 described herein as an example of removable recording media. Memory card interface 113 that received a predetermined access authentication is allowed to write data in memory card 300 and read various pieces of data (for example, backup data) from memory card 300 .
- Memory card interface 113 is loaded with a security unit 1130 .
- Security unit 1130 is a security chip that permits or prohibits accesses made by processor 102 to memory card 300 .
- This security unit is an example of the “reader” including a concealed logic for exclusive use.
- Memory card 300 according to the embodiments is a memory card highly guarded against unauthorized data accesses. This memory card can only be accessed from security unit 1130 alone. Thus, the level of security may be enhanced in regard to data accesses to memory card 300 .
- Security unit 1130 includes a processor 1131 , a storage 1132 , a memory 1133 , an IO module 1134 , an IO module 1135 , and a memory card controller 1136 .
- Processor 1131 is a computing device in charge of computations for control and may include, for example, MPU (Micro Processing Unit). Specifically, processor 1131 reads programs stored in storage 1132 (for example, read program 1150 ) and then expands and runs the read program on memory 1133 , so that predetermined processes for control are executed.
- MPU Micro Processing Unit
- FIG. 2 is presented an example in which functions required of security unit 1130 are offered by prompting processor 1131 to run predetermined programs.
- the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA).
- a dedicated hardware circuit for example, ASIC or FPGA.
- Memory 1133 may include a volatile storage device, for example, DRAM or SRAM.
- Storage 1132 may include a non-volatile storage device, for example, flash memory. This storage is an example of the “storage region” in PLC 100 .
- a read program 1150 In storage 1132 are stored a read program 1150 , a user data 1160 , a certificate data 1170 , an identification data 1180 , and a list 100 L.
- Read program 1150 includes a program which is run to execute an access authentication process. Specifically describing this process, when, for example, an access request is outputted from processor 102 for data 1335 including the backup data stored in memory card 300 , this read program determines whether the requested access to data 1335 in memory card 300 should be enabled. Then, the data is determined as accessible when a positive result is obtained but is determined as inaccessible when a negative result is obtained.
- User data 1160 includes pieces of information used to identify users in control system 1 (for example, account names, passwords).
- Certificate data 1170 contains information used to prove that PLC 100 is an authorized member for control system 1 .
- certificate data 1170 contains information on certificates issued when the devices are authenticated by the original manufacturers as genuine products.
- Certificate data 1170 may otherwise contain information on certificates issued when the devices are authenticated by users or third parties like outside organizations, instead of the original manufacturers.
- Identification data 1180 contains pieces of relevant information including the model code and the serial number of PLC 100 . As described earlier, list 100 L contains pieces of relevant information associated with the members.
- IO module 1134 transmits and receives input and output data, through processor bus 130 , to and from processor 1131 and processor 102 .
- IO module 1135 transmits and receives input and output data, through memory card controller 1136 , to and from processor 1131 and memory card 300 .
- Memory card controller 1136 activates a communication path leading to memory card 300 when accesses made by processor 102 to memory card 300 are enabled based on the access authentication process.
- memory card 300 includes a data area 1331 , a secure area 1332 , and a security controller 1336 .
- Data area 1331 is a storage region in which data 1335 including the backup data is storable.
- data 1335 may be encrypted with a key, for example, with a public key and then stored in data area 1331 .
- Secure area 1332 is a concealed storage region that requires any device trying to access this region to be authenticated beforehand. This secure area is an example of the “storage region” in memory card 300 .
- a user data 1360 In secure area 1332 , a user data 1360 , a certificate data 1370 , an identification data 1380 , and a list 300 L are stored.
- User data 1360 contains pieces of information used to identify users in control system 1 (for example, account names, passwords). Certificate data 1370 contains information used to prove that memory card 300 is an authorized device for control system 1 .
- certificate data 1370 contains information on certificates issued when the devices are authenticated by the original manufacturers as genuine products.
- Certificate data 3170 may otherwise contain information on certificates issued when the devices are authenticated by users or third parties like outside organizations, instead of the original manufactures.
- Identification data 1380 contains pieces of relevant information including the model code and the serial number of memory card 300 . As described earlier, list 300 L contains pieces of relevant information associated with the members.
- Security controller 1336 activates a communication path between security unit 1130 and area 1331 when accesses made by processor 102 to data area 1335 are enabled based on the access authentication process described earlier.
- Memory card 300 can only be accessed from security unit 1130 alone of PLC 100 including the concealed logic for exclusive use. Supposing there is another read-only device allowed to access memory card 300 , such a device is still not allowed to access data 1335 stored in data area 1331 of memory card 300 unless the device is authenticated beforehand based on the access authentication process.
- FIG. 3 is a block diagram that schematically illustrates exemplified hardware components of units 200 according to the embodiments. As illustrated in FIG. 3 , units 200 each include a function module 210 , a local bus controller 220 , and a security unit 2130 .
- Function module 210 provides a function(s) suitable for a job(s) to be done by each unit 200 .
- function module 210 has an input circuit and a detecting circuit for digital signals, for example, photocouplers.
- function module 210 has, for example, a track computing logic and a command generating logic.
- Local bus controller 220 transmits and receives data, through local bus 4 , to and from PLC 100 or other units 200 which this bus controller is connected to.
- Security unit 2130 is a security chip used to execute the access authentication process and is allowed to intercommunicate with function module 210 and local bus controller 220 .
- Security unit 2130 includes a processor 2161 , a storage 2162 and a memory 2163 .
- Processor 2161 is a computing unit in charge of computations for control and may include, for example, MPU.
- Processor 2161 reads programs stored in storage 2162 (for example, restoration program 2150 ) and then expands and runs the read program on memory 2163 , so that predetermined processes for control are executed.
- FIG. 3 is presented an example in which functions required of units 200 are offered by prompting processor 2161 to run predetermined programs. Instead, the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA).
- a dedicated hardware circuit for example, ASIC or FPGA.
- Memory 2163 may include a volatile storage device, for example, DRAM or SRAM.
- Storage 2162 may include a non-volatile storage device, for example, flash memory. This storage is an example of the “storage region” in unit 200 .
- a restoration program 2150 In storage 2162 are stored a restoration program 2150 , a user data 2160 , a certificate data 2170 , an identification data 2180 , and a list 200 L.
- Restoration program 2150 contains programs run to restore unit 200 .
- User data 2160 contains pieces of information used to identify users in control system 1 (for example, account names, passwords).
- Certificate data 2170 contains information used to prove that units 200 are authorized devices for control system 1 .
- certificate data 2170 contains information on certificates issued when the devices are authenticated by the original manufacturers as genuine products.
- Certificate data 2170 may otherwise contain information on certificates issued when the devices are authenticated by users or third parties like outside organizations, instead of the original manufactures.
- FIG. 4 is a block diagram that schematically illustrates exemplified hardware components of support device 400 according to the embodiments.
- Support device 400 is implemented by, for example, prompting a computer that complies with general-purpose architectures to execute a program.
- support device 400 includes a processor 402 , a main memory 404 , a storage 406 , an input unit 408 , a display unit 410 , an optical drive 412 and a network controller 416 . These components are interconnected through a processor bus 418 .
- Processor 402 may include, for example, CPU and GPU. This processor reads programs stored in storage 406 (for example, OS 4060 and support program 4062 ) and then expands and runs the read program on main memory 404 , so that predetermined processes for control are executed.
- programs stored in storage 406 for example, OS 4060 and support program 4062
- main memory 404 main memory
- FIG. 4 is presented an example in which functions required of support device 400 are offered by prompting processor 402 to run predetermined programs. Instead, the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA).
- a dedicated hardware circuit for example, ASIC or FPGA.
- Main memory 404 may include a volatile storage device, for example, DRAM or SRAM.
- Storage 406 may include a volatile storage device, for example, HDD or SSD.
- support program 4062 is stored in storage 406 .
- This support program provides functions required of support device 400 .
- Support program 4062 prompts a computer to operate as support device 400 .
- Input unit 408 may include a keyboard and a mouse to receive inputs from a user.
- Display unit 410 includes a display, indicators and a printer, so that processing results of processor 402 , for example, are outputted.
- Network controller 416 transmits and receives data, through network 2 , to and from optional external devices, for example, PLC 100 .
- Support device 400 is equipped with optical drive 412 .
- Programs that are non-transitorily stored in a computer-readable recording medium 414 are read from this recording medium and installed into, for example, storage 406 .
- Support program 4062 run by support device 400 , for example, may be installed through computer-readable recording medium 414 or may be downloaded from, for example, a network server and then installed.
- the functions provided by support device 400 according to the embodiments may be feasible by leveraging some of the modules provided by OS.
- serial verification in which serial numbers are used for verification in the access authentication process (hereinafter, may be referred to as “serial verification”).
- FIG. 5 is a diagram that schematically illustrates an exemplified serial verification when data is duly accessed in control system 1 according to the embodiments.
- FIG. 6 is a diagram that schematically illustrates an example of serial verification assessment in control system 1 according to the embodiments.
- PLC 100 in slot 1 breaks down, and a control system 1 a should desirably be newly built by replacing failed PLC 100 with a PLC 100 a .
- PLC 100 a “A” as model code and “f” as serial number are assigned to this device.
- PLC 100 a newly introduced to replace PLC 100 has the same model code as that of PLC 100 and a serial number that differs from that of PLC 100 .
- the access authentication process is carried out by memory card 300 , PLC 100 a and units 200 - 1 to 200 - 4 .
- PLC 100 a is a newly introduced device, list 100 a L of which is thus containing no information (blank).
- Memory card 300 obtains the serial number “f” as identification data from PLC 100 a in slot 1 and verifies the obtained serial number against the serial number “a” for slot 1 stored in its own list 300 L. Then, memory card 300 determines that the serial numbers are inconsistent. Memory card 300 obtains the serial numbers “b”, “c”, “d” and “e” as identification data from units 200 of slots 2 to 5 and verifies the obtained serial numbers against the serial numbers “b”, “c”, “d” and “e” for slots 2 to 5 stored in its own list 300 L. Then, memory card 300 determines that the serial numbers obtained from the different sources are consistent. As a result of the verification by memory card 300 , the serial numbers for slot 1 alone are determined as inconsistent.
- memory card 300 sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated in FIG. 6 , the bit “1” is set for slot 1 alone and the bit “0” is set for the other members based on the verification result.
- PLC 100 a obtains the serial number “y” as identification data from memory card 300 and verifies the obtained serial number against the serial number for this memory card stored in its own list 100 a L. Since list 100 a L is containing no information (blank), PLC 100 a determines that the serial numbers are inconsistent. PLC 100 a obtains the serial numbers “b”, “c”, “d” and “e” as identification data from units 200 of slots 2 to 5 and verifies the obtained serial numbers against the serial numbers for slots 2 to 5 stored in its own list 100 a L. Because of list 100 a L containing no information (blank), PLC 100 a determines that the serial numbers are inconsistent. As a result of the verification by PLC 100 a , the serial numbers for memory card 300 and slots 2 to 5 are determined as inconsistent.
- the bit “1” is set for slots 2 to 5 and memory card 300 based on the verification result.
- Units 200 - 1 to 200 - 4 each obtains the serial number “y” as identification data from memory card 300 and verify the obtained serial number against the serial number “y” stored in their own lists 200 - 1 L to 200 - 4 L. Then, units 200 - 1 to 200 - 4 determine that the serial numbers are consistent. Units 200 - 1 to 200 - 4 obtain the serial number “1” as identification data from PLC 100 a and verify the obtained serial number against the serial number “a” for slot 1 stored in their own lists 200 - 1 L to 200 - 4 L. Then, units 200 - 1 to 200 - 4 determine that the serial numbers are inconsistent.
- Units 200 each obtain the serial numbers as identification data from the other units 200 and verify the obtained serial numbers against the serial numbers for the other units 200 stored in their own lists. Then, units 200 determine that the serial numbers are consistent. As a result of the verification by units 200 - 1 to 200 - 4 , the serial numbers for slot 1 alone are determined as inconsistent.
- bits 200 of slots 2 to 5 set the bit “0” in their own tables when the verification result indicates consistency and set the bit “1” when the verification result indicates inconsistency, as illustrated in FIG. 6 , the bit “1” is set for slot 1 alone and the bit “0” is set for the other members based on the verification result.
- the verification results obtained by the members are transmitted to the other members, so that the table illustrated in FIG. 6 can be shared among all of the members.
- One of the members determines whether the verification results satisfy a predetermined condition. Specifically, the bits set by the members are added as illustrated in FIG. 6 , a result of which is then divided by the number of members to calculate an average value (%). Based on the calculated average values of the members, it is determined whether any device with an average value greater than 50% is among the members. In the illustrated example, the average value exceeds 50% in slot 1 alone.
- the verification result is determined as indicating a low degree of consistency, disallowing data accesses.
- the verification result is determined as being acceptable.
- memory card 300 enables PLC 100 a to access the backup data.
- FIG. 7 is a diagram that schematically illustrates an exemplified serial verification when data is unduly accessed in control system 1 according to the embodiments.
- PLC 100 x of slot 1 and units 200 x - 1 to 200 x - 4 of slots 2 to 5 are interconnected through a local bus 4 x in a manner that these devices are allowed to communicate with one another.
- unit PLC 100 x in slot 1 “A” as model code and “o” as serial number are assigned to this device.
- “B” as model code and “p” as serial number are assigned to this device.
- “B” as model code and “q” as serial number are assigned to this device.
- “C” as model code and “r” as serial number are assigned to this device.
- “C” as model code and “s” as serial number are assigned to this device.
- memory card 300 When memory card 300 is inserted in PLC 100 x to unduly restore the backup data of PLC 100 , the data in memory card 300 is not accessible by PLC 100 x without the access authentication process unless a program required to run this process has been pre-installed in this device. This may prevent the risk of data leakage.
- memory card 300 Supposing that the respective members are loaded with such an access authentication program, memory card 300 , PLC 100 x and units 200 x - 1 to 200 x - 4 carry out the access authentication process (serial authentication).
- Memory card 300 obtains the serial number “o” as identification data from PLC 100 x in slot 1 and verifies the obtained serial number against the serial number “a” for slot 1 stored in its own list 300 L. Then, memory card 300 determines that the serial numbers are inconsistent. Memory card 300 obtains the serial numbers “p”, “q”, “r” and “s” as identification data from units 200 x of slots 2 to 5 and verifies the obtained serial numbers against the serial numbers “b”, “c”, “d” and “e” for slots 2 to 5 stored in its own list 300 L. Then, memory card 300 determines that the serial numbers obtained are inconsistent. As a result of the verification by memory card 300 , the serial numbers are determined as inconsistent for all of the slots 1 to 5 .
- the serial numbers of and obtained from the members are verified against the serial numbers of the members stored in list 300 L of memory card 300 , and the degree of consistency is determined as low when the number of members with their serial numbers being determined as consistent does not exceed a certain number (for example, three).
- a certain number for example, three.
- the serial number-based verification result thus indicates a low degree of consistency, therefore, memory card 300 does not enable PLC 100 x to access or restore the backup data.
- model verification in which model codes are used for verification in the access authentication process (hereinafter, may be referred to as “model verification”).
- FIG. 8 is a diagram that schematically illustrates an exemplified model verification when data is duly accessed in control system 1 according to the embodiments.
- FIG. 9 is a diagram that schematically illustrates an example of model verification assessment in control system 1 according to the embodiments.
- control system 1 b by duplicating a line configured similarly to that of control system 1 .
- PLC 100 b of slot 1 and units 200 b - 1 to 200 b - 4 of slots 2 to 5 are interconnected through a local bus 4 b in a manner that these devices are allowed to communicate with one another.
- unit PLC 100 b in slot 1 “A” as model code and “g” as serial number are assigned to this device.
- “B” as model code and “h” as serial number are assigned to this device.
- “B” as model code and “i” as serial number are assigned to this device.
- “C” as model code and “j” as serial number are assigned to this device.
- “C” as model code and “k” as serial number are assigned to this device.
- the access authentication process (model authentication) is carried out by memory card 300 , PLC 100 b and units 200 b - 1 to 200 b - 4 .
- list 300 L of memory card 300 list 200 b - 1 L of unit 200 b - 1 , list 200 b - 2 L of unit 200 b - 2 , list 200 b - 3 L of unit 200 b - 3 , and list 200 b - 4 L of unit 200 b - 4 .
- Memory card 300 obtains the model code “A” as identification data from PLC 100 b in slot 1 and verifies the obtained model code against the model code “A” for slot 1 stored in its own list 300 L. Then, memory card 300 determines that the model codes obtained from the different sources are consistent. Memory card 300 obtains the model codes “B”, “B”, “C” and “C” as identification data from units 200 of slots 2 to 5 and verifies the obtained model codes against the model codes “B”, “B”, “C” and “C” for slots 2 to 5 stored in its own list 300 L. Then, memory card 300 determines that the model codes obtained from the different sources are consistent. Based on the verification result obtained by memory card 300 , the model codes are determined as consistent for all of the slots 1 to 5 .
- memory card 300 sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated in FIG. 9 , the bit “0” is set for slots 1 to 5 based on the verification result.
- PLC 100 b obtains the model code “X” as identification data from memory card 300 and verifies the obtained model code against the model code “X” for this memory card stored in its own list 100 b L. Then, PLC 100 b determines that the model codes obtained from the different sources are consistent. PLC 100 b obtains the model codes “B”, “B”, “C” and “C” as identification data from units 200 b of slots 2 to 5 and verifies the obtained model codes against the model codes “B”, “B”, “C” and “C” for slots 2 to 5 stored in its own list 100 b L. Then, PLC 100 b determines that the model codes obtained from the different sources are consistent. Based on the verification result obtained by PLC 100 b , the model codes are determined as consistent for all of the slots 1 to 5 .
- bit “0” is set for slots 2 to 5 and memory card 300 based on the verification result.
- Units 200 b - 1 to 200 b - 4 each obtains the model code “X” as identification data from memory card 300 and verifies the obtained model code against the model code “X” for this memory card stored in a respective one of their own lists 200 b - 1 L to 200 b - 4 L. Then, units 200 b - 1 to 200 b - 4 determine that the model codes obtained from the different sources are consistent. Units 200 b - 1 to 200 b - 4 each obtains the model code “A” as identification data from PLC 100 b and verifies the obtained model code against the model code “A” for slot 1 stored in a respective one of their own lists 200 b - 1 L to 200 b - 4 L.
- units 200 b - 1 to 200 b - 4 determine that the model codes obtained from the different sources are consistent.
- Units 200 b each obtains the model codes as identification data from the other units 200 b and verifies the obtained model codes against the model codes for the other units 200 b stored in their own lists. Then, units 200 b determine that the model codes are consistent. Based on the verification result obtained by units 200 b - 1 to 200 b - 4 , the model codes are determined as consistent for all of the slots 1 to 5 .
- bits 200 b in slots 2 to 5 each sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated in FIG. 9 , the bit “0” is set for the respective members based on the verification result.
- the model codes for all of memory card 300 and slots 1 to 5 are determined as consistent. As a result, it is determined by many of the members that the members including PLC 100 b in slot 1 are mostly not replaced or changed. The model code-based verification result thus indicates a high degree of consistency. Based on the rule of majority vote, therefore, memory card 300 enables PLC 100 b to access and restore the backup data.
- the verification results obtained by the members are transmitted to the other members, so that the table illustrated in FIG. 9 can be shared among all of the members.
- One of the members determines whether the verification results satisfy a predetermined condition. Specifically, the bits set by the members are added as illustrated in FIG. 9 , a result of which is then divided by the number of members to calculate an average value (%). Based on the calculated average values of the members, it is determined whether any device with an average value greater than 50% is among the members. In the illustrated example, none of the members has an average value greater than 50%.
- the verification result is determined as indicating a low degree of consistency, disallowing data accesses.
- the verification result is determined as being acceptable.
- memory card 300 enables PLC 100 a to access the backup data.
- accesses to the backup data stored in memory card 300 are enabled in regard to the members of the same model code having different serial numbers, as illustrated in the example of FIGS. 8 and 9 . This may ensure a good balance between user-friendliness and better security in data accesses to memory card 300 .
- FIG. 10 is a diagram that schematically illustrates an exemplified model verification when data is unduly accessed in control system 1 according to the embodiments.
- unit PLC 100 y in slot 1 “D” as model code and “k” as serial number are assigned to this device.
- “E” as model code and “I” as serial number are assigned to this device.
- “E” as model code and “m” as serial number are assigned to this device.
- “F” as model code and “n” as serial number are assigned to this device.
- Slot 5 is empty with no unit.
- memory card 300 When memory card 300 is inserted in PLC 100 y to unduly restore the backup data of PLC 100 , the data in memory card 300 is not accessible by PLC 100 y without the access authentication process unless a program required to run this process has been pre-installed in this device. This may prevent the risk of data leakage.
- memory card 300 Supposing that the respective members are loaded with the program installed to run the access authentication process, memory card 300 , PLC 100 y and units 200 y - 1 to 200 y - 3 carry out the access authentication process (model authentication).
- Memory card 300 obtains the model code “D” as identification data from PLC 100 y in slot 1 and verifies the obtained model code against the model code “A” for slot 1 stored in its own list 300 L. Then, memory card 300 determines that the model codes are inconsistent. Memory card 300 obtains the model codes “E”, “E” and “F” as identification data from units 200 y of slots 2 to 4 and verifies the obtained model codes against the model codes “B”, “B” and “C” for slots 2 to 4 stored in its own list 300 L. Then, memory card 300 determines that the model codes are inconsistent. The identification data is not obtainable from slot 5 or verifiable against the model code “C” for slot 5 stored in its own list 300 L. Then, memory card 300 determines that the lack of consistency. Based on the verification result obtained by memory card 300 , the model codes are determined as inconsistent for all of the slots 1 to 5 .
- the model codes of and obtained from the members are verified against the model codes of the members stored in list 300 L of memory card 300 , and the degree of consistency is determined as low when the number of members with their model codes being determined as consistent does not exceed a certain number (for example, three).
- a certain number for example, three.
- the model code-based verification result thus indicates a low degree of consistency, therefore, memory card 300 does not enable PLC 100 y to access or restore the backup data.
- FIG. 11 is a diagram that schematically illustrates an exemplified setting screen of support device 400 according to the embodiments. As illustrated in FIG. 11 , support device 400 provides a user interface that allows users to input various settings for the access authentication process.
- support device 400 has a screen 450 which includes the following fields; user information 451 in which user information is settable, user authentication method 452 in which a user authentication method is settable, password 453 in which a password is settable, a verification method 454 in which a verification method is settable, security level 455 in which a level of security is settable, and applicable range 456 in which a range of applicable devices is settable.
- a user inputs an account name of his/her own choice in the field of user information 451 and is thus able to set the account name as his/her user information.
- the user can select and set a user authentication method of his/her own choice in the field of user authentication method 452 .
- face authentication or biometric authentication for example, fingerprint authentication
- biometric authentication for example, fingerprint authentication
- the user who selected the password authentication can input a password his/her own choice in the field of password 453 .
- support device 400 provides a user interface that allows users to select either one of the serial verification and the model verification.
- control system may be successfully built in a suitable manner for a level of security required of the system.
- support device 400 may offer the user such an option that both of the model and serial verifications are available.
- control system 1 may determine whether the devices are enabled to access the data in memory card 300 using both of the model verification and the serial verification.
- the user can set a level of security required of control system 1 .
- the user can set the number of devices, among all of the devices, subject to the serial verification or the model verification in the access authentication process. While all of the device should desirably be verified in view of security, the devices to be verified may be decreased in order to shorten processing time or lessen the workload of complex processes.
- the number of devices to be verified may desirably be a total number of devices from which “1” has been subtracted.
- support device 400 according to the embodiments disclosed herein provides a user interface that allows users to set the number of devices to be verified.
- control system may be successfully built in a suitable manner for a level of security required of the system.
- the user can set, in the field of applicable range 456 , a range of applicable members subject to the serial verification and/or the model verification in the access authentication process.
- the user may select, as a range of applicable devices, PLC 100 and the devices connected to PLC 100 through the local bus 4 , or may further select, in addition to these devices, tools like network 2 and support device 400 .
- support device 400 according to the embodiments disclosed herein provides a user interface that allows users to set the range of applicable devices.
- control system may be successfully built in a suitable manner for a level of security required of the system.
- FIGS. 12 and 13 An example of the access authentication process executed in control system 1 according to the embodiments disclosed herein is hereinafter described referring to FIGS. 12 and 13 .
- FIG. 12 is a sequence diagram that illustrates an exemplified access authentication process using the serial verification executed in control system 1 according to the embodiments disclosed herein.
- the access authentication process serial verification
- FIGS. 5 and 6 the access authentication process
- this drawing illustrates the data restoration after PLC 100 with the serial number of “a” is replaced with PLC 100 a with the serial number of “f” in slot 1 .
- PLC 100 a of slot 1 verifies user data 1160 retained by itself against the user data obtained from support device 400 . When these two pieces of user data obtained from the different sources are consistent with each other, PLC 100 a transmits certificate data 1170 retained by itself to units 200 of slots 2 to 5 (step 4 )). PLC 100 a of slot 1 does not transmit certificate data 1170 unless the user data is authenticated.
- units 200 of slots 2 to 5 determine that PLC 100 a is a genuine product supplied by the original manufacturer based on certificate data 1170 , these units 200 transmit, to PLC 100 a , authentication data indicating that PLC 100 a has been authenticated (step 5 )).
- Units 200 of slots 2 to 5 do not transmit the authentication data to PLC 100 a unless PLC 100 a is determined as being a genuine product supplied by the original manufacturer.
- Units 200 of slots 2 to 5 verify user data 2160 retained by themselves against the user data obtained from support device 400 . When these two pieces of user data obtained from the different sources are consistent with each other, units 200 transmit certificate data 2170 retained by themselves to PLC 100 a of slot 1 (step 6 )). Units 200 of slots 2 to 5 do not transmit certificate data 2170 unless the user data is authenticated.
- Memory card 300 verifies user data 1360 retained by itself against the user data obtained from support device 400 . When these two pieces of user data obtained from the different sources are consistent with each other, memory card 300 transmits certificate data 1370 retained by itself to PLC 100 a of slot 1 (step 7 )). Memory card 300 does not transmit certificate data 1370 unless the user data is authenticated.
- PLC 100 a of slot 1 determines that units 200 of slots 2 to 5 are genuine products supplied by the original manufacturers based on certificate data 2170 , PLC 100 a transmits, to units 200 , authentication data indicating that units 200 have been authenticated (step 8 )). PLC 100 a of slot 1 does not transmit the authentication data unless units 200 of slots 2 to 5 are determined as being genuine products supplied by the original manufacturers.
- PLC 100 a of slot 1 determines that memory card 300 is a genuine product supplied by the original manufacturer based on certificate data 1370 , PLC 100 a transmits, to memory card 300 , authentication data indicating that memory card 300 has been authenticated (step 9 )). PLC 100 a of slot 1 does not transmit the authentication data unless memory card 300 is determined as being a genuine product supplied by the original manufacturer.
- PLC 100 a in slot 1 thereafter transmits identification data 1180 (serial number “1”) retained by itself to units 200 in slots 2 to 5 (step 10 )).
- PLC 100 a in slot 1 thereafter transmits identification data 1180 (serial number “f”) retained by itself to memory card 300 (step 11 )).
- units 200 in slots 2 to 5 thereafter transmit identification data 2180 (serial numbers “b”, “c”, “d” and “e”) retained by themselves to memory card 300 (step 12 )).
- memory card 300 thereafter transmits identification data 1380 (serial number “y”) retained by itself to units 200 in slots 2 to 5 (step 13 )).
- units 200 in slots 2 to 5 thereafter transmit identification data 2180 retained by themselves to the other units 200 (step 14 )).
- memory card 300 , PLC 100 a in slot 1 and units 200 in slots 2 to 5 obtain the pieces of identification data of the members (serial numbers).
- memory card 300 , PLC 100 a in slot 1 and units 200 in slots 2 to 5 verify the obtained identification data (serial numbers) of the members against the serial numbers of the members stored in the lists retained by themselves (step 15 )).
- memory card 300 when the degree of consistency in the serial number-based verification result is determined as high by one of the members (for example, member that first acquired the verification results of the members), memory card 300 enables PLC 100 a to access the backup data and transmits the backup data to PLC 100 a in slot 1 (step 16 )).
- the members update their own lists based on the pieces of identification data (serial numbers) obtained from the other members (step 17 )).
- the lists retained by the members are thus updated into the latest data.
- PLC 100 a of slot 1 restores the data based on the backup data obtained from memory card 300 (step 18 )).
- the backup data is transmitted from memory card 300 to PLC 100 a of slot 1 when the degree of consistency in the model verification result is determined as high.
- the backup data may be transmitted from memory card 300 to PLC 100 a of slot 1 after PLC 100 a , memory card 300 and units 200 are mutually authenticated.
- PLC 100 a of slot 1 may be prohibited from restoring the data unless the degree of consistency in the model verification result is determined as high.
- memory card 300 may possibly be accidentally inserted in any system differently configured. In such an event, the data in memory card 300 becomes inaccessible from any device unless such accesses are authorized as a result of the access authentication process (serial verification) described earlier. This may prevent undue data accesses even if memory card 300 is inserted in wrong systems.
- FIG. 13 is a sequence diagram that illustrates an exemplified access authentication process using the model verification executed in control system 1 according to the embodiments.
- the access authentication process model verification
- FIGS. 8 and 9 This drawing illustrates an example of restoration after a line configured similarly to that of control system 1 is duplicated.
- Memory card 300 verifies user data 1360 retained by itself against the user data obtained from support device 400 . When these two pieces of user data obtained from the different sources are consistent with each other, memory card 300 transmits certificate data 1370 retained by itself to PLC 100 b of slot 1 (step 2 )). Memory card 300 does not transmit certificate data 1370 unless the user data is authenticated.
- PLC 100 b of slot 1 determines that memory card 300 is a genuine product supplied by the original manufacturer based on certificate data 1370 , PLC 100 b transmits, to memory card 300 , authentication data indicating that memory card 300 has been authenticated (step 3 )). PLC 100 of slot 1 does not transmit the authentication data unless memory card 300 is determined as being a genuine product supplied by the original manufacturer.
- PLC 100 b of slot 1 verifies user data 1160 retained by itself against the user data obtained from support device 400 . When these two pieces of user data obtained from the different sources are consistent with each other, PLC 100 b transmits certificate data 1170 retained by itself to memory card 300 of slot 1 (step 4 )). PLC 100 b of slot 1 does not transmit certificate data 1170 unless the user data is authenticated.
- memory card 300 determines that PLC 100 b of slot 1 is a genuine product supplied by the original manufacturer based on certificate data 1170 , memory card 300 transmits, to PLC 100 b , authentication data indicating that PLC 100 b has been authenticated (step 5 )). Memory card 300 does not transmit the authentication data unless PLC 100 b of slot 1 is determined as being a genuine product supplied by the original manufacturer.
- memory card 300 has been authenticated by PLC 100 b in slot 1
- PLC 100 b in slot 1 has been authenticated by memory card 300 .
- PLC 100 b in slot 1 thereafter transmits identification data 1180 (model code “A”) retained by itself to units 200 b in slots 2 to 5 (step 6 )).
- PLC 100 b in slot 1 thereafter transmits identification data 1180 (model code “A”) retained by itself to memory card 300 (step 7 )).
- units 200 b in slots 2 to 5 thereafter transmit identification data 2180 (model codes “B”, “B”, “C” and “C”) retained by themselves to memory card 300 (step 8 )).
- memory card 300 thereafter transmits identification data 1380 (model code “X”) retained by itself to units 200 b in slots 2 to 5 (step 9 )).
- units 200 b in slots 2 to 5 thereafter transmit identification data 2180 retained by themselves to the other units 200 b (step 10 )).
- memory card 300 , PLC 100 b in slot 1 and units 200 b in slots 2 to 5 obtain the pieces of identification data of the members (model codes).
- memory card 300 , PLC 100 b in slot 1 and units 200 b in slots 2 to 5 verify the pieces of identification data (model codes) obtained from the members against the model codes of the members stored in the lists retained by themselves (step 11 )).
- memory card 300 enables PLC 100 b to access the backup data and transmits the backup data to PLC 100 b in slot 1 (step 12 )).
- PLC 100 b of slot 1 restores the data based on the backup data obtained from memory card 300 (step 13 )).
- the backup data is transmitted from memory card 300 to PLC 100 b of slot 1 when the degree of consistency in the model verification result is determined as high.
- the backup data may be transmitted from memory card 300 to PLC 100 b of slot 1 after PLC 100 b and memory card 300 are mutually authenticated.
- PLC 100 b of slot 1 may be prohibited from restoring the data unless the degree of consistency in the model verification result is determined as high.
- accesses to the backup data stored in memory card 300 are enabled in regard to the members of the same model code having different serial numbers. This may ensure a good balance between user-friendliness and better security in data accesses to removable storage media.
- memory card 300 may possibly be accidentally inserted in any system differently configured. In such an event, the data in memory card 300 becomes inaccessible from any device unless such accesses are authorized as a result of the access authentication process (model verification) described earlier. This may prevent undue data accesses even if memory card 300 is inserted in wrong systems.
- a control system ( 1 ) is configured to control access to data in a device group, the device group includes a plurality of devices ( 100 , 200 - 1 to 200 - 4 ), and the plurality of devices are configured to communicate with one another.
- the control system is equipped with:
- one or a plurality of second devices ( 200 - 1 to 200 - 4 ) included in the plurality of devices.
- control system ( 1 ) is further characterized in that,
- each of members of the plurality of devices and the storage medium include:
- the first device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the first device satisfies a predetermined condition.
- the first device includes a reader ( 1130 ) including a concealed logic for exclusive use, and
- the storage medium is configured to permit access from the reader alone.
- the relevant information includes a serial number for identification of each of the members, and
- the verifying unit verifies the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members.
- the relevant information includes a model code of each of the members
- the verifying unit verifies model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members.
- control system ( 1 ) according to aspect 1 or 2 further includes a support device ( 400 ) configured to support the device group and is further characterized in that,
- the relevant information includes a serial number used to individually identify each of the members and a model code of each of the members,
- the verifying unit includes:
- the support device provides a user interface ( 454 ) configured to select the first verifying unit or the second verifying unit.
- control system ( 1 ) further includes a support device ( 400 ) configured to support the device group and is further characterized in that,
- the support device provides a user interface ( 455 ) configured to set a number of any members included in the members but the first device to be verified by the verifying unit.
- control system ( 1 ) further includes a support device ( 400 ) configured to support the device group and is further characterized in that,
- the support device provides a user interface ( 456 ) configured to set a range of applicable members among the members.
- a method for controlling access to data in a device group, the device group includes a plurality of devices ( 100 , 200 - 1 to 200 - 4 ), and the plurality of devices are configured to communicate with one another.
- the plurality of devices include:
- a first device configured to receive, in a removable manner, a storage medium ( 300 ) in which data is storable;
- one or a plurality of second devices ( 200 - 1 to 200 - 4 ).
- Each of members of the plurality of devices and the storage medium includes a storage region ( 1332 , 1132 , 2162 ) configured to retain a list ( 300 L, 100 L, 200 - 1 L to 200 - 4 L) containing relevant information associated with each of the members.
- the method includes:
- step 16 enabling the first device to access the data stored in the storage medium when a result of verification obtained by each of the other members but the first device satisfies a predetermined condition (step 16 ) of FIG. 12 , step 12 ) of FIG. 13 ).
- a control device ( 100 ) is included in a device group, the device group has a plurality of devices ( 100 , 200 - 1 to 200 - 4 ), and the plurality of devices are configured to communicate with one another.
- the control device is configured to control access to data and includes a receiving portion ( 103 ) configured to receive, in a removable manner, a storage medium ( 300 ) in which data is storable.
- the control device ( 100 ) is further characterized in that,
- each of members of the plurality of devices and the storage medium includes:
- control device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the control device satisfies a predetermined condition.
- control system 1 when memory card 300 is received by PLC 100 , it is not until results of the relevant information verified by units 200 other than PLC 100 satisfy a predetermined condition that the data stored in memory card 300 becomes accessible. This may ensure a higher level of security without compromising user-friendliness in accesses to the data stored in removable memory card 300 .
- control system 200 : unit, 2 : network
- 4 local bus, 1001 , 2001 , 3001 : list, 102 , 402 , 1131 , 2161 : processor, 103 , 113 : memory card interface, 104 , 404 : main memory, 105 : USB connector, 106 , 406 , 1132 , 2162 : storage, 108 , 416 : network controller, 130 , 418 : processor bus, 140 : control program, 210 : function module, 220 : local bus controller, 300 : memory card, 400 : support device, 408 : input unit, 410 : display unit, 412 : optical drive, 414 : recording medium, 450 : screen, 451 : field of user information, 452 : field of user authentication method, 453 : field of password, 454 : field of verification method, 455 : field of security level, 456 : field of applicable range, 1060 : system program, 1065 , 21
Abstract
A control system controls access to data in a device group of devices that communicate with one another. The control system includes a first device of the devices and that receives, in a removable manner, a storage medium in which data is storable, and one or more second devices of the devices. Each member of the devices and the storage medium includes a storage region that retains a list including relevant information associated with each of the members, and a verifier that verifies the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members. The first device accesses the data stored in the storage medium when a result of verification obtained by the verifier of each of the other members but the first device satisfies a condition.
Description
- This disclosure relates to a control system, a method and a control device, more particularly to a control system, a method and a control device for use in controlling access to data in a device group including a plurality of devices that are configured to communicate with each other.
- In many production sites, machinery and equipment that have been and are currently used in the sites may be typically controlled by control systems including control devices, for example, programmable logic controllers (hereinafter, may be referred to as “PLC”). Conventionally, data stored in removable storage media are often used in such control systems for system recovery or update of programs and/or data.
- For example, Japanese Patent Laying-Open No. 2011-215814 (patent literature 1) describes a backup and restoration system operable to backup or restore set values of target parameters in communication devices using a backup and restoration unit connected to the programmable logic controller (PLC). In this backup and restoration system, backup data stored in a removable storage medium, such as a memory card, is used to restore various pieces of data.
- PTL 1: Japanese Patent Laying-Open No. 2011-215814
- In the known art, data may be often stored in removable storage media and accessed from devices including PLC whenever necessary, as in the backup and restoration system described in the
patent literature 1. Such removable storage media that users can easily carry with them are very user-friendly. On the other hand, such media that involve the risk of being stolen may raise certain concerns about security. An example of typical theft preventive measures may be access control through individual authentication using host devices authorized beforehand for the respective storage media. In the FA (factory automation)-related fields, however, the media, in practical use, may not always be inserted in the authorized host devices. - To address these issues of the known art, this disclosure is directed to providing a technology that can offer enhanced security without compromising user-friendliness in data accesses to removable storage media.
- An aspect of this disclosure provides a control system configured to control access to data in a device group, the device group includes a plurality of devices, and the plurality of devices are configured to communicate with one another. The control system includes a first device included in the plurality of devices and configured to receive, in a removable manner, a storage medium in which data is storable, and one or a plurality of second devices included in the plurality of devices. Each of members of the plurality of devices and the storage medium includes: a storage region configured to retain a list including relevant information associated with each of the members; and a verifying unit configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members. The first device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the first device satisfies a predetermined condition.
- In the control system disclosed herein, when a storage medium is received by the first device, any members included in the members but the first device verify the relevant information, and it is not until results of the verification satisfy a predetermined condition that the data stored in the storage medium becomes accessible. This may offer an improved level of security while ensuring user-friendliness in accesses to the data stored in the removable storage medium.
- In the control system disclosed herein, the first device includes a reader including a concealed logic for exclusive use, and the storage medium is configured to permit access from the reader alone.
- In the control system thus characterized in that the storage medium can only be accessed from the reader of the first device including the concealed logic for exclusive use, a higher level of security may be ensured in data accesses to the removable storage medium.
- In the control system disclosed herein, the relevant information includes a serial number for identification of each of the members, and the verifying unit verifies the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members.
- In the control system thus characterized in that the data stored in the storage medium can only be accessed after a predetermined condition is satisfied by a result of the verification of the serial number used to identify each member. This may offer even a higher degree security in data accesses to the removable storage medium.
- In the control system disclosed herein, the relevant information includes a model code of each of the members, and the verifying unit verifies the model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members.
- In the control system thus characterized in that the data stored in the storage medium can only be accessed after a predetermined condition is satisfied by a result of the verification of the model code of each member. Thus, accesses to the data stored in the storage medium may be enabled for the members of the same model code having different serial numbers. This may ensure a good balance between user-friendliness and better security in data accesses to the removable storage medium.
- The control system disclosed herein further includes a support device configured to support the device group. The relevant information includes a serial number used to individually identify each of the members and a model code of each of the members. The verifying unit includes: a first verifying unit configured to verify the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members; and a second verifying unit configured to verify model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members. The support device provides a user interface configured to select the first verifying unit or the second verifying unit.
- In the control system thus characterized in that a user is allowed to select, using the support device, which one of the following is desirably verified; serial numbers used to individually identify the members, and model codes of the members. Thus, the control system may be successfully built in a suitable manner for a level of security required of the system.
- The control system disclosed herein further includes a support device configured to support the device group. The support device provides a user interface configured to set a number of any members included in the members but the first device to be verified by the verifying unit.
- In the control system thus characterized in that a user is allowed to set, using the support device, the number of members to be verified. Thus, the control system may be successfully built in a suitable manner for a level of security required of the system.
- The control system disclosed herein further includes a support device configured to support the device group. The support device provides a user interface configured to set a range of applicable members among the members.
- In the control system thus characterized in that a user is allowed to set, using the support device, a range of applicable members. Thus, the control system may be successfully built in a suitable manner for a level of security required of the system.
- Another aspect of this disclosure provides a method for controlling access to data in a device group, the device group includes a plurality of devices, and the plurality of devices are configured to communicate with one another. The plurality of devices include a first device configured to receive, in a removable manner, a storage medium in which data is storable, and one or a plurality of second devices. Each of members of the plurality of devices and the storage medium includes a storage region configured to retain a list including relevant information associated with each of the members. The method includes: prompting each of the members to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members; and enabling the first device to access the data stored in the storage medium when a result of verification obtained by each of the other members but the first device satisfies a predetermined condition.
- In the control system disclosed herein, when a storage medium is received by the first device, any members included in the members but the first device verify the relevant information, and it is not until results of the verification satisfy a predetermined condition that the data stored in the storage medium becomes accessible. This may offer an improved level of security while ensuring user-friendliness in accesses to the data stored in the removable storage medium.
- Yet another aspect of this disclosure provides a control device configured to control access to data and included in a device group, the device group has a plurality of devices, and the plurality of devices are configured to communicate with one another. The control device includes a receiving portion configured to receive, in a removable manner, a storage medium in which data is storable. Each of members of the plurality of devices and the storage medium includes: a storage region configured to retain a list containing relevant information associated with each of the members; and a verifying unit configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members. The control device is configured to access the data stored in the storage medium when a result of the verification obtained by the verifying unit of each of the other members but the control device satisfies a predetermined condition.
- In the control system disclosed herein, when a storage medium is received by the first device, any members included in the members but the first device verify the relevant information, and it is not until results of the verification satisfy a predetermined condition that the data stored in the storage medium becomes accessible. This may offer an improved level of security while ensuring user-friendliness in accesses to the data stored in the removable storage medium.
-
FIG. 1 is a diagram that schematically illustrates a control system according to embodiments of this disclosure. -
FIG. 2 is a block diagram that schematically illustrates exemplified hardware components of a PLC and a memory card configuration according to the embodiments. -
FIG. 3 is a block diagram that schematically illustrates exemplified hardware components of a unit according to the embodiments. -
FIG. 4 is a block diagram that schematically illustrates exemplified hardware components of a support device according to the embodiments. -
FIG. 5 is a diagram that schematically illustrates an exemplified serial verification when data is duly accessed in a control system according to the embodiments. -
FIG. 6 is a diagram that schematically illustrates an example of serial verification assessment in the control system according to the embodiments. -
FIG. 7 is a diagram that schematically illustrates an exemplified serial verification when data is unduly accessed in the control system according to the embodiments. -
FIG. 8 is a diagram that schematically illustrates an exemplified model verification when data is duly accessed in the control system according to the embodiments. -
FIG. 9 is a diagram that schematically illustrates an example of model verification assessment in the control system according to the embodiments. -
FIG. 10 is a diagram that schematically illustrates an exemplified model verification when data is unduly accessed in the control system according to the embodiments. -
FIG. 11 is a diagram that schematically illustrates an exemplified setting screen of the support device according to the embodiments. -
FIG. 12 is a sequence diagram that illustrates an exemplified access authentication process using the serial verification executed in the control system according to the embodiments. -
FIG. 13 is a sequence diagram that illustrates an exemplified access authentication process using the model verification executed in the control system according to the embodiments. - Embodiments of the technology disclosed herein are hereinafter described in detail referring to the accompanying drawings. Any identical, similar and corresponding components are simply marked with like reference signs. Such components, once they are described, will not be repetitively described.
- <A. Example of Application>
- Hereinafter is described an exemplified case to which the technology disclosed herein is applicable.
-
FIG. 1 is a diagram that schematically illustrates an exemplified case to which acontrol system 1 is applicable. As illustrated inFIG. 1 ,control system 1 according to embodiments of this disclosure includes a device group including a plurality of devices that are allowed to communicate with one another. - In the specification of this disclosure, the “device” may refer a target element to be controlled that constitutes
control system 1, and programs, configuration settings and parameters required of computations for control may be generated and managed per each device. The “device” may typically encompass in its scope a programmable logic controller (PLC) which is a processing entity in charge of executing a control program (which may include sequence control and motion control), and peripheral devices connected to the PLC. The peripheral device may typically be a device that transmits and receives, to and from targets to be controlled, input and output data handled in the PLC. Specific examples of the peripheral device may include unit, slave device and coupler unit. - In the example illustrated in
FIG. 1 ,control system 1 includes the following devices; a programmable logic controller (PLC) 100, and a plurality of units 200-1, 200-2, 200-3 and 200-4 (hereinafter, may be collectively referred to as “units 200”) connectable to thePLC 100 in a manner that these units are allowed to communicate with the PLC.PLC 100 is presented an example of the “first device”, andunits 200 are presented as an example of the “second device”. The “first device” and the “second device” may be any one of such devices as PLC, unit, slave device, and coupler unit. - With
PLC 100 being disposed in a slot 1 (Slot 1 in the drawing) as a key device, unit 200-1 is disposed in a slot 2 (Unit 1 in the drawing), unit 200-2 is disposed in a slot 3 (Unit 2 in the drawing), unit 200-3 is disposed in a slot 4 (Unit 3 in the drawing), and unit 200-4 is disposed in a slot 5 (Unit 4 in the drawing). These units 200-1 to 200-4 are connected toPLC 100 through alocal bus 4 and are thereby allowed to communicate withPLC 100. -
Control system 1 further includes asupport device 400 configured to support the device group.Support device 400 is in charge of developing and managing control programs executed in the devices ofcontrol system 1 and parameters required of this system.PLC 100 is equipped with a USB (Universal Serial Bus)connector 105 connectable to and allowed to communicate withsupport device 400. Any programs and parameters for settings developed bysupport device 400 are transferred (downloaded) throughUSB connector 105 intoPLC 100 andunits 200 by way of anetwork 2. -
Control system 1 thus configured is loaded with functions for system recovery and update of data and programs in which the data stored in removable storage media is used. For example,PLC 100 has amemory card interface 103 which receivesmemory card 300 in a removable manner. The data can be acquired by accessingmemory card 300 mounted tomemory card interface 103.Memory card interface 103 is an example of the “receiving portion”. - A specific use of this memory card interface may be backup and recovery of the system. For example, a user may store and save, in
memory card 300, pieces of data used in the devices throughmemory card interface 103. The device, if it breaks down, may be replaced with a new device, and the data saved and stored in memory card 300 (hereinafter, may be referred to as “backup data”) may be reloaded in the new device. This process may also be referred to as “restoration”. The backup data may typically be used to fix any bugs and errors ofcontrol system 1. -
Memory card 300 described herein as an example of the “storage medium” may be selected from any removable memory cards such as SD (Secure Digital) cards. Other examples of the “storage medium” may include any removable storage media such as USB memory, compact flash (registered trademark) and memory stick. - The “data” stored in the storage medium may include the backup data described earlier, programs and parameters used in the devices, and log data and trace data obtained by the devices.
- The backup data may be stored in
removable memory card 300 to invite the devices, for example,PLC 100, to access the stored data, whenever necessary. Suchremovable memory card 300 that users can easily carry with them is thus very user-friendly. On the other hand, such removable medium that involves the risk of being stolen may raise certain concerns about security. An example of typical theft preventive measures may be access control through individual authentication using a host device(s) authorized beforehand formemory card 300. In the FA (factory automation)-related fields, however,memory card 300, in practical use, may not always be inserted in such an authorized host device. - For example, a system with a higher level of security may certainly be feasible as a tighter access restriction is imposed on
memory card 300. This, however, may invite the risk of poor workability in practical use. To cope with such a trade-off problem,control system 1 according to the embodiments disclosed herein is provided with a technology that may ensure a higher level of security without compromising user-friendliness in data accesses to the data inremovable memory card 300. - Specifically,
control system 1 is so configured that, incase memory card 300 inserted in a particular device of the device group fails to authenticate the device loaded withmemory card 300, this particular device is enabled to access the data inmemory card 300, insofar as consistency is determined among configurations of the other devices of the device group currently interconnected. This technical feature is hereinafter described in detail. - In this embodiment,
memory card 300 and thedevices including PLC 100 and units 200-1 to 200-4 may be each referred to as “member”. The members each include a storage region in which a list containing pieces of relevant information associated with the members is retainable. The “relevant information” may be any information that can be used to identify each member. In this embodiment, the relevant information may include model codes (Model in the drawing) and serial numbers (Serial in the drawing). - The “model code” represents a model that allows each member to be distinguished from the other members based on differences in structure, facility and outer shape. The “serial number” represents a number that can be used to individually identify each member, an example of which may be a unique production number assigned to each product to be shipped out. The serial number is typically unique to each member, which may avoid the risk of different serial numbers being redundantly used among the members. On the other hand, the model codes are respectively assigned to specific models of products, which may possibly be shared among some of the members.
- As for
PLC 100 illustrated in the example ofFIG. 1 , “A” as model code and “a” as serial number are assigned to this device. As for unit 200-1 illustrated in this drawing, “B” as model code and “b” as serial number are assigned to this device. As for unit 200-2 illustrated in this drawing, “B” as model code and “c” as serial number are assigned to this device. As for unit 200-3 illustrated in this drawing, “C” as model code and “d” as serial number are assigned to this device. As for unit 200-4 illustrated in this drawing, “C” as model code and “e” as serial number are assigned to this device. While the unique serial numbers are thus assigned toPLC 100 and units 200-1 to 200-4, the same model code “B” is assigned to units 200-1 and 200-2 and the same model code “C” is assigned to units 200-3 and 200-4. - As for
memory card 300, “X” as model code and “y” as serial number are assigned to this member. -
Memory card 300 retains alist 300L,PLC 100 retains alist 100L, and units 200-1 to 200-4 respectively retain lists 200-1L to 200-4L. These lists are prepared bysupport device 400 and transferred into the devices. These lists are also retained inmemory card 300 by way ofsupport device 400 orPLC 100. - In the example of
FIG. 1 are illustrated contents oflist 300L retained inmemory card 300.List 300L contains the model codes (Model) and the serial numbers (Serial) assigned toslots 1 to 5 and also contains the model code (Model) and the serial number (Serial) ofmemory card 300. Thus,memory card 300 is allowed to grasp the members currently on the system by checkinglist 300L. - The contents of the lists retained by the members remain unchanged unless the members are changed or replaced. Specifically,
list 300L illustrated inFIG. 1 have the same contents as those oflist 100L retained byPLC 100 and of lists 200-1L to 200-4L retained by units 200-1 to 200-4. - Further, the members are configured to verify pieces of relevant information associated with and obtained from the other members against pieces of relevant information associated with the other members and included in the lists retained by the other members.
- Specifically,
memory card 300 verifies the model codes and the serial numbers of and obtained from the other members (PLC 100, units 200) against the model codes and the serial numbers of the other members (PLC 100, units 200) included in the list currently retained bymemory card 300 to determine consistency or inconsistency between these pieces of relevant information of the other members (PLC 100, units 200) obtained from the different sources. - Similarly,
PLC 100 verifies the model codes and the serial numbers of and obtained from the other members (memory card 300, unit 200) against the model codes and the serial numbers of the other members (memory card 300, unit 200) included in the list currently retained byPLC 100 to determine consistency or inconsistency between these pieces of relevant information of the other members (memory card 300, unit 200) obtained from the different sources. - Similarly,
units 200 verify the model codes and the serial numbers of and obtained from the other members (memory card 300,PLC 100, other units 200) against the model codes and the serial numbers of the other members (memory card 300,PLC 100, other units 200) included in the lists currently retained byunits 200 to determine consistency or inconsistency between these pieces of relevant information of the other members (memory card 300,PLC 100, other units 200) obtained from the different sources. - When
memory card 300 is inserted inPLC 100, accesses byPLC 100 to the data stored inmemory card 300 are enabled, insofar as results of verification by the members satisfy a predetermined condition. The “predetermined condition” may be optionally selected from any conditions under which the data stored inmemory card 300 is accessible in view of security. - When, for example,
memory card 300 is inserted inPLC 100, the members currently on the system are verified by any members included in the members but PLC 100 (memory card 300, unit 200) based on the lists retained by the members exceptPLC 100. Then, accesses byPLC 100 to the data stored inmemory card 300 are enabled, insofar as the degree of consistency between results of verification by the members is greater than a certain value. - In
control system 1 according to the embodiments, whenmemory card 300 is received byPLC 100, the data stored inmemory card 300 only becomes accessible after a predetermined condition is satisfied by results of verification of the relevant information by any members included in the members but PLC 100 (memory card 300, units 200). This may ensure a higher level of security without compromising user-friendliness in accesses to the data stored inremovable memory card 300. - <B. Hardware Components and Configurations of Devices Included in
Control System 1> - Next, hardware components and configurations of the devices included in
control system 1 are hereinafter described. - (b1: PLC 100)
-
FIG. 2 is a block diagram that schematically illustrates exemplified hardware components ofPLC 100 and an exemplified configuration ofmemory card 300 according to the embodiments. As illustrated inFIG. 2 ,PLC 100 includes aprocessor 102, amain memory 104, a storage 106, anetwork controller 108 and amemory card interface 113. These components are interconnected through aprocessor bus 130. -
Processor 102 is a computing unit configured to execute computations for control, and elements constituting this processor include a CPU (Central Processing Unit) and a GPU (Graphics Processing Unit). Specifically,processor 102 reads programs stored in storage 106 (for example,control program 140,system program 1060, restoration program 1065) and then expands and runs the read programs onmain memory 104, so that predetermined processes for control are executed. - In
FIG. 2 is presented an example in which functions required ofPLC 100 are offered by promptingprocessor 102 to run predetermined programs. Instead, the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA). -
Main memory 104 may include a volatile storage device, for example, DRAM (Dynamic Random Access Memory) or SRAM (Static Random Access Memory). Storage 106 may include a non-volatile storage device(s), for example, HDD (Hard Disk Drive) and/or SSD (Flash Solid State Drive). In storage 106 are stored asystem program 1060 that enables basic functions, acontrol program 140 developed correspondingly to a target to be controlled, for example, facility or machinery, and arestoration program 1065 used to restorePLC 100. -
Network controller 108 transmits and receives data to and from optional information processors includingsupport device 400 throughnetwork 2. -
Memory card interface 113 is an interface for exclusive use withmemory card 300 described herein as an example of removable recording media.Memory card interface 113 that received a predetermined access authentication is allowed to write data inmemory card 300 and read various pieces of data (for example, backup data) frommemory card 300. -
Memory card interface 113 is loaded with asecurity unit 1130.Security unit 1130 is a security chip that permits or prohibits accesses made byprocessor 102 tomemory card 300. This security unit is an example of the “reader” including a concealed logic for exclusive use.Memory card 300 according to the embodiments is a memory card highly guarded against unauthorized data accesses. This memory card can only be accessed fromsecurity unit 1130 alone. Thus, the level of security may be enhanced in regard to data accesses tomemory card 300. -
Security unit 1130 includes aprocessor 1131, astorage 1132, amemory 1133, anIO module 1134, anIO module 1135, and a memory card controller 1136. -
Processor 1131 is a computing device in charge of computations for control and may include, for example, MPU (Micro Processing Unit). Specifically,processor 1131 reads programs stored in storage 1132 (for example, read program 1150) and then expands and runs the read program onmemory 1133, so that predetermined processes for control are executed. - In
FIG. 2 is presented an example in which functions required ofsecurity unit 1130 are offered by promptingprocessor 1131 to run predetermined programs. - Instead, the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA).
-
Memory 1133 may include a volatile storage device, for example, DRAM or SRAM.Storage 1132 may include a non-volatile storage device, for example, flash memory. This storage is an example of the “storage region” inPLC 100. Instorage 1132 are stored aread program 1150, auser data 1160, acertificate data 1170, anidentification data 1180, and alist 100L. - Read
program 1150 includes a program which is run to execute an access authentication process. Specifically describing this process, when, for example, an access request is outputted fromprocessor 102 fordata 1335 including the backup data stored inmemory card 300, this read program determines whether the requested access todata 1335 inmemory card 300 should be enabled. Then, the data is determined as accessible when a positive result is obtained but is determined as inaccessible when a negative result is obtained.User data 1160 includes pieces of information used to identify users in control system 1 (for example, account names, passwords). -
Certificate data 1170 contains information used to prove thatPLC 100 is an authorized member forcontrol system 1. For example,certificate data 1170 contains information on certificates issued when the devices are authenticated by the original manufacturers as genuine products.Certificate data 1170 may otherwise contain information on certificates issued when the devices are authenticated by users or third parties like outside organizations, instead of the original manufacturers. -
Identification data 1180 contains pieces of relevant information including the model code and the serial number ofPLC 100. As described earlier,list 100L contains pieces of relevant information associated with the members. -
IO module 1134 transmits and receives input and output data, throughprocessor bus 130, to and fromprocessor 1131 andprocessor 102.IO module 1135 transmits and receives input and output data, through memory card controller 1136, to and fromprocessor 1131 andmemory card 300. - Memory card controller 1136 activates a communication path leading to
memory card 300 when accesses made byprocessor 102 tomemory card 300 are enabled based on the access authentication process. - (b2: Memory Card 300)
- As illustrated in
FIG. 2 ,memory card 300 includes adata area 1331, asecure area 1332, and asecurity controller 1336.Data area 1331 is a storage region in whichdata 1335 including the backup data is storable. Optionally,data 1335 may be encrypted with a key, for example, with a public key and then stored indata area 1331. -
Secure area 1332 is a concealed storage region that requires any device trying to access this region to be authenticated beforehand. This secure area is an example of the “storage region” inmemory card 300. Insecure area 1332, auser data 1360, acertificate data 1370, anidentification data 1380, and alist 300L are stored. -
User data 1360 contains pieces of information used to identify users in control system 1 (for example, account names, passwords).Certificate data 1370 contains information used to prove thatmemory card 300 is an authorized device forcontrol system 1. For example,certificate data 1370 contains information on certificates issued when the devices are authenticated by the original manufacturers as genuine products. Certificate data 3170 may otherwise contain information on certificates issued when the devices are authenticated by users or third parties like outside organizations, instead of the original manufactures. -
Identification data 1380 contains pieces of relevant information including the model code and the serial number ofmemory card 300. As described earlier,list 300L contains pieces of relevant information associated with the members. -
Security controller 1336 activates a communication path betweensecurity unit 1130 andarea 1331 when accesses made byprocessor 102 todata area 1335 are enabled based on the access authentication process described earlier.Memory card 300 according to the embodiments can only be accessed fromsecurity unit 1130 alone ofPLC 100 including the concealed logic for exclusive use. Supposing there is another read-only device allowed to accessmemory card 300, such a device is still not allowed to accessdata 1335 stored indata area 1331 ofmemory card 300 unless the device is authenticated beforehand based on the access authentication process. - (b3: Units 200)
-
FIG. 3 is a block diagram that schematically illustrates exemplified hardware components ofunits 200 according to the embodiments. As illustrated inFIG. 3 ,units 200 each include afunction module 210, alocal bus controller 220, and asecurity unit 2130. -
Function module 210 provides a function(s) suitable for a job(s) to be done by eachunit 200. Incase units 200 are each a digital input unit,function module 210 has an input circuit and a detecting circuit for digital signals, for example, photocouplers. Incase units 200 are each a servo driver,function module 210 has, for example, a track computing logic and a command generating logic. -
Local bus controller 220 transmits and receives data, throughlocal bus 4, to and fromPLC 100 orother units 200 which this bus controller is connected to. -
Security unit 2130 is a security chip used to execute the access authentication process and is allowed to intercommunicate withfunction module 210 andlocal bus controller 220.Security unit 2130 includes aprocessor 2161, astorage 2162 and amemory 2163. -
Processor 2161 is a computing unit in charge of computations for control and may include, for example, MPU.Processor 2161 reads programs stored in storage 2162 (for example, restoration program 2150) and then expands and runs the read program onmemory 2163, so that predetermined processes for control are executed. - In
FIG. 3 is presented an example in which functions required ofunits 200 are offered by promptingprocessor 2161 to run predetermined programs. Instead, the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA). -
Memory 2163 may include a volatile storage device, for example, DRAM or SRAM.Storage 2162 may include a non-volatile storage device, for example, flash memory. This storage is an example of the “storage region” inunit 200. Instorage 2162 are stored arestoration program 2150, auser data 2160, acertificate data 2170, anidentification data 2180, and alist 200L. -
Restoration program 2150 contains programs run to restoreunit 200.User data 2160 contains pieces of information used to identify users in control system 1 (for example, account names, passwords).Certificate data 2170 contains information used to prove thatunits 200 are authorized devices forcontrol system 1. For example,certificate data 2170 contains information on certificates issued when the devices are authenticated by the original manufacturers as genuine products.Certificate data 2170 may otherwise contain information on certificates issued when the devices are authenticated by users or third parties like outside organizations, instead of the original manufactures. - (b4: Support Device 400)
-
FIG. 4 is a block diagram that schematically illustrates exemplified hardware components ofsupport device 400 according to the embodiments.Support device 400 is implemented by, for example, prompting a computer that complies with general-purpose architectures to execute a program. - As illustrated in
FIG. 4 ,support device 400 includes aprocessor 402, amain memory 404, astorage 406, aninput unit 408, a display unit 410, anoptical drive 412 and anetwork controller 416. These components are interconnected through aprocessor bus 418. -
Processor 402 may include, for example, CPU and GPU. This processor reads programs stored in storage 406 (for example,OS 4060 and support program 4062) and then expands and runs the read program onmain memory 404, so that predetermined processes for control are executed. - In
FIG. 4 is presented an example in which functions required ofsupport device 400 are offered by promptingprocessor 402 to run predetermined programs. Instead, the functions thus offered may be implemented in part or in whole by using a dedicated hardware circuit (for example, ASIC or FPGA). -
Main memory 404 may include a volatile storage device, for example, DRAM or SRAM.Storage 406 may include a volatile storage device, for example, HDD or SSD. - In addition to
OS 4060 that enables basic functions,support program 4062 is stored instorage 406. This support program provides functions required ofsupport device 400.Support program 4062 prompts a computer to operate assupport device 400. -
Input unit 408 may include a keyboard and a mouse to receive inputs from a user. Display unit 410 includes a display, indicators and a printer, so that processing results ofprocessor 402, for example, are outputted. -
Network controller 416 transmits and receives data, throughnetwork 2, to and from optional external devices, for example,PLC 100. -
Support device 400 is equipped withoptical drive 412. Programs that are non-transitorily stored in a computer-readable recording medium 414 (for example, optical recording medium such as DVD (Digital Versatile Disc)) are read from this recording medium and installed into, for example,storage 406. -
Support program 4062 run bysupport device 400, for example, may be installed through computer-readable recording medium 414 or may be downloaded from, for example, a network server and then installed. The functions provided bysupport device 400 according to the embodiments may be feasible by leveraging some of the modules provided by OS. - <C. Example of Serial Verification>
- Referring to
FIGS. 5 to 7 , an exemplified verification is hereinafter described, in which serial numbers are used for verification in the access authentication process (hereinafter, may be referred to as “serial verification”). - (c1. Example of Serial Verification for Authorized Data Accesses)
-
FIG. 5 is a diagram that schematically illustrates an exemplified serial verification when data is duly accessed incontrol system 1 according to the embodiments.FIG. 6 is a diagram that schematically illustrates an example of serial verification assessment incontrol system 1 according to the embodiments. - As for
PLC 100 inslot 1 illustrated in the example ofFIG. 5 , “A” as model code and “a” as serial number are assigned to this device incontrol system 1. As for unit 200-1 inslot 2 illustrated in this drawing, “B” as model code and “b” as serial number are assigned to this device. As for unit 200-2 inslot 3 illustrated in this drawing, “B” as model code and “c” as serial number are assigned to this device. As for unit 200-3 inslot 4 illustrated in this drawing, “C” as model code and “d” as serial number are assigned to this device. As for unit 200-4 inslot 5 illustrated in this drawing, “C” as model code and “e” as serial number are assigned to this device. Incontrol system 1 thus configured, the backup data ofPLC 100 is stored inmemory card 300. - It is assumed that, under such circumstances,
PLC 100 inslot 1 breaks down, and a control system 1a should desirably be newly built by replacing failedPLC 100 with aPLC 100 a. As forPLC 100 a, “A” as model code and “f” as serial number are assigned to this device. Thus,PLC 100 a newly introduced to replacePLC 100 has the same model code as that ofPLC 100 and a serial number that differs from that ofPLC 100. - When
memory card 300 is inserted inPLC 100 a to restore the backup data ofPLC 100, the access authentication process (serial authentication) is carried out bymemory card 300,PLC 100 a and units 200-1 to 200-4. - It is assumed that the same contents are stored in the lists of the different members;
list 300L ofmemory card 300, list 200-1L of unit 200-1, list 200-2L of unit 200-2, list 200-3L of unit 200-3, and list 200-4L of unit 200-4.PLC 100 a is a newly introduced device,list 100 aL of which is thus containing no information (blank). -
Memory card 300 obtains the serial number “f” as identification data fromPLC 100 a inslot 1 and verifies the obtained serial number against the serial number “a” forslot 1 stored in itsown list 300L. Then,memory card 300 determines that the serial numbers are inconsistent.Memory card 300 obtains the serial numbers “b”, “c”, “d” and “e” as identification data fromunits 200 ofslots 2 to 5 and verifies the obtained serial numbers against the serial numbers “b”, “c”, “d” and “e” forslots 2 to 5 stored in itsown list 300L. Then,memory card 300 determines that the serial numbers obtained from the different sources are consistent. As a result of the verification bymemory card 300, the serial numbers forslot 1 alone are determined as inconsistent. - On the condition that, for example,
memory card 300 sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated inFIG. 6 , the bit “1” is set forslot 1 alone and the bit “0” is set for the other members based on the verification result. -
PLC 100 a obtains the serial number “y” as identification data frommemory card 300 and verifies the obtained serial number against the serial number for this memory card stored in itsown list 100 aL. Sincelist 100 aL is containing no information (blank),PLC 100 a determines that the serial numbers are inconsistent.PLC 100 a obtains the serial numbers “b”, “c”, “d” and “e” as identification data fromunits 200 ofslots 2 to 5 and verifies the obtained serial numbers against the serial numbers forslots 2 to 5 stored in itsown list 100 aL. Because oflist 100 aL containing no information (blank),PLC 100 a determines that the serial numbers are inconsistent. As a result of the verification byPLC 100 a, the serial numbers formemory card 300 andslots 2 to 5 are determined as inconsistent. - On the condition that, for example,
PLC 100 a inslot 1 sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated inFIG. 6 , the bit “1” is set forslots 2 to 5 andmemory card 300 based on the verification result. - Units 200-1 to 200-4 each obtains the serial number “y” as identification data from
memory card 300 and verify the obtained serial number against the serial number “y” stored in their own lists 200-1L to 200-4L. Then, units 200-1 to 200-4 determine that the serial numbers are consistent. Units 200-1 to 200-4 obtain the serial number “1” as identification data fromPLC 100 a and verify the obtained serial number against the serial number “a” forslot 1 stored in their own lists 200-1L to 200-4L. Then, units 200-1 to 200-4 determine that the serial numbers are inconsistent.Units 200 each obtain the serial numbers as identification data from theother units 200 and verify the obtained serial numbers against the serial numbers for theother units 200 stored in their own lists. Then,units 200 determine that the serial numbers are consistent. As a result of the verification by units 200-1 to 200-4, the serial numbers forslot 1 alone are determined as inconsistent. - On the condition that, for example,
units 200 ofslots 2 to 5 set the bit “0” in their own tables when the verification result indicates consistency and set the bit “1” when the verification result indicates inconsistency, as illustrated inFIG. 6 , the bit “1” is set forslot 1 alone and the bit “0” is set for the other members based on the verification result. - After the serial numbers in regard to all of the members are thus verified, the serial numbers in
slot 1 in regard tomemory card 300 andunits 200 alone are determined as inconsistent. As a result,PLC 100 a ofslot 1 is determined by many of the members as being newly introduced, which can be rephrased that none of the other members has been replaced or changed. The serial number-based verification result thus indicates a high degree of consistency. Based on the rule of majority vote, therefore,memory card 300 enablesPLC 100 a to access and restore the backup data. - The verification results obtained by the members are transmitted to the other members, so that the table illustrated in
FIG. 6 can be shared among all of the members. One of the members (for example, member that first acquired the verification results of the members) determines whether the verification results satisfy a predetermined condition. Specifically, the bits set by the members are added as illustrated inFIG. 6 , a result of which is then divided by the number of members to calculate an average value (%). Based on the calculated average values of the members, it is determined whether any device with an average value greater than 50% is among the members. In the illustrated example, the average value exceeds 50% inslot 1 alone. - In case three or more members have average values greater than 50%, i.e., three or more members are determined as being replaced or changed by the members having average values of 50% or more, the verification result is determined as indicating a low degree of consistency, disallowing data accesses. In case less than three members have average values greater than 50%, i.e., less than three members are determined as being replaced or changed by the members having average values of 50% or more, the verification result is determined as being acceptable.
- Insofar as the verification result is thus found acceptable,
memory card 300 enablesPLC 100 a to access the backup data. - (c2. Example of Serial Verification for Unauthorized Data Accesses)
-
FIG. 7 is a diagram that schematically illustrates an exemplified serial verification when data is unduly accessed incontrol system 1 according to the embodiments. - As for
PLC 100 inslot 1 illustrated in the example ofFIG. 7 , “A” as model code and “a” as serial number are assigned to this device incontrol system 1. As for unit 200-1 inslot 2 illustrated in this drawing, “B” as model code and “b” as serial number are assigned to this device. As for unit 200-2 inslot 3 illustrated in this drawing, “B” as model code and “c” as serial number are assigned to this device. As for unit 200-3 inslot 4 illustrated in this drawing, “C” as model code and “d” as serial number are assigned to this device. As for unit 200-4 inslot 5 illustrated in this drawing, “C” as model code and “e” as serial number are assigned to this device. Incontrol system 1 thus configured, the backup data ofPLC 100 is stored inmemory card 300. - It is assumed that, under such circumstances, data is restored in a
control system 1 x including an unauthorized line built aftermemory card 300 is stolen. For example,PLC 100 x ofslot 1 andunits 200 x-1 to 200 x-4 ofslots 2 to 5 are interconnected through alocal bus 4 x in a manner that these devices are allowed to communicate with one another. - As for
unit PLC 100 x inslot 1, “A” as model code and “o” as serial number are assigned to this device. As forunit 200 x-1 inslot 2, “B” as model code and “p” as serial number are assigned to this device. As forunit 200 x-2 inslot 3, “B” as model code and “q” as serial number are assigned to this device. As forunit 200 x-3 inslot 4, “C” as model code and “r” as serial number are assigned to this device. As forunit 200 x-4 inslot 5, “C” as model code and “s” as serial number are assigned to this device. - When
memory card 300 is inserted inPLC 100 x to unduly restore the backup data ofPLC 100, the data inmemory card 300 is not accessible byPLC 100 x without the access authentication process unless a program required to run this process has been pre-installed in this device. This may prevent the risk of data leakage. - Supposing that the respective members are loaded with such an access authentication program,
memory card 300,PLC 100 x andunits 200 x-1 to 200 x-4 carry out the access authentication process (serial authentication). -
Memory card 300 obtains the serial number “o” as identification data fromPLC 100 x inslot 1 and verifies the obtained serial number against the serial number “a” forslot 1 stored in itsown list 300L. Then,memory card 300 determines that the serial numbers are inconsistent.Memory card 300 obtains the serial numbers “p”, “q”, “r” and “s” as identification data fromunits 200 x ofslots 2 to 5 and verifies the obtained serial numbers against the serial numbers “b”, “c”, “d” and “e” forslots 2 to 5 stored in itsown list 300L. Then,memory card 300 determines that the serial numbers obtained are inconsistent. As a result of the verification bymemory card 300, the serial numbers are determined as inconsistent for all of theslots 1 to 5. - In the serial verification employed in this embodiment, the serial numbers of and obtained from the members are verified against the serial numbers of the members stored in
list 300L ofmemory card 300, and the degree of consistency is determined as low when the number of members with their serial numbers being determined as consistent does not exceed a certain number (for example, three). In the example illustrated inFIG. 7 , the serial number-based verification result thus indicates a low degree of consistency, therefore,memory card 300 does not enablePLC 100 x to access or restore the backup data. - <D. Example of Model Verification>
- Referring to
FIGS. 8 to 10 , an exemplified verification is hereinafter described, in which model codes are used for verification in the access authentication process (hereinafter, may be referred to as “model verification”). - (d1. Example of Model Verification for Authorized Data Accesses)
-
FIG. 8 is a diagram that schematically illustrates an exemplified model verification when data is duly accessed incontrol system 1 according to the embodiments.FIG. 9 is a diagram that schematically illustrates an example of model verification assessment incontrol system 1 according to the embodiments. - As for
PLC 100 inslot 1 illustrated in the example ofFIG. 8 , “A” as model code and “a” as serial number are assigned to this device incontrol system 1. As for unit 200-1 inslot 2 illustrated in this drawing, “B” as model code and “b” as serial number are assigned to this device. As for unit 200-2 inslot 3 illustrated in this drawing, “B” as model code and “c” as serial number are assigned to this device. As for unit 200-3 inslot 4 illustrated in this drawing, “C” as model code and “d” as serial number are assigned to this device. As for unit 200-4 inslot 5 illustrated in this drawing, “C” as model code and “e” as serial number are assigned to this device. Incontrol system 1 thus configured, the backup data ofPLC 100 is stored inmemory card 300. - It is assumed, under such circumstances, to newly build a
control system 1 b by duplicating a line configured similarly to that ofcontrol system 1. For example,PLC 100 b ofslot 1 andunits 200 b-1 to 200 b-4 ofslots 2 to 5 are interconnected through alocal bus 4 b in a manner that these devices are allowed to communicate with one another. - As for
unit PLC 100 b inslot 1, “A” as model code and “g” as serial number are assigned to this device. As forunit 200 b-1 inslot 2, “B” as model code and “h” as serial number are assigned to this device. As forunit 200 b-2 inslot 3, “B” as model code and “i” as serial number are assigned to this device. As forunit 200 b-3 inslot 4, “C” as model code and “j” as serial number are assigned to this device. As forunit 200 b-4 inslot 5, “C” as model code and “k” as serial number are assigned to this device. - When
memory card 300 is inserted inPLC 100 b to restore the backup data ofPLC 100, the access authentication process (model authentication) is carried out bymemory card 300,PLC 100 b andunits 200 b-1 to 200 b-4. - It is assumed that the same contents are stored in the lists of the different members;
list 300L ofmemory card 300,list 200 b-1L ofunit 200 b-1,list 200 b-2L ofunit 200 b-2,list 200 b-3L ofunit 200 b-3, andlist 200 b-4L ofunit 200 b-4. -
Memory card 300 obtains the model code “A” as identification data fromPLC 100 b inslot 1 and verifies the obtained model code against the model code “A” forslot 1 stored in itsown list 300L. Then,memory card 300 determines that the model codes obtained from the different sources are consistent.Memory card 300 obtains the model codes “B”, “B”, “C” and “C” as identification data fromunits 200 ofslots 2 to 5 and verifies the obtained model codes against the model codes “B”, “B”, “C” and “C” forslots 2 to 5 stored in itsown list 300L. Then,memory card 300 determines that the model codes obtained from the different sources are consistent. Based on the verification result obtained bymemory card 300, the model codes are determined as consistent for all of theslots 1 to 5. - On the condition that, for example,
memory card 300 sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated inFIG. 9 , the bit “0” is set forslots 1 to 5 based on the verification result. -
PLC 100 b obtains the model code “X” as identification data frommemory card 300 and verifies the obtained model code against the model code “X” for this memory card stored in itsown list 100 bL. Then,PLC 100 b determines that the model codes obtained from the different sources are consistent.PLC 100 b obtains the model codes “B”, “B”, “C” and “C” as identification data fromunits 200 b ofslots 2 to 5 and verifies the obtained model codes against the model codes “B”, “B”, “C” and “C” forslots 2 to 5 stored in itsown list 100 bL. Then,PLC 100 b determines that the model codes obtained from the different sources are consistent. Based on the verification result obtained byPLC 100 b, the model codes are determined as consistent for all of theslots 1 to 5. - On the condition that, for example,
PLC 100 b inslot 1 sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated inFIG. 9 , the bit “0” is set forslots 2 to 5 andmemory card 300 based on the verification result. -
Units 200 b-1 to 200 b-4 each obtains the model code “X” as identification data frommemory card 300 and verifies the obtained model code against the model code “X” for this memory card stored in a respective one of theirown lists 200 b-1L to 200 b-4L. Then,units 200 b-1 to 200 b-4 determine that the model codes obtained from the different sources are consistent.Units 200 b-1 to 200 b-4 each obtains the model code “A” as identification data fromPLC 100 b and verifies the obtained model code against the model code “A” forslot 1 stored in a respective one of theirown lists 200 b-1L to 200 b-4L. Then,units 200 b-1 to 200 b-4 determine that the model codes obtained from the different sources are consistent.Units 200 b each obtains the model codes as identification data from theother units 200 b and verifies the obtained model codes against the model codes for theother units 200 b stored in their own lists. Then,units 200 b determine that the model codes are consistent. Based on the verification result obtained byunits 200 b-1 to 200 b-4, the model codes are determined as consistent for all of theslots 1 to 5. - On the condition that, for example,
units 200 b inslots 2 to 5 each sets the bit “0” in its own table when the verification result indicates consistency and sets the bit “1” when the verification result indicates inconsistency, as illustrated inFIG. 9 , the bit “0” is set for the respective members based on the verification result. - After the model codes in regard to all of the members are thus verified, the model codes for all of
memory card 300 andslots 1 to 5 are determined as consistent. As a result, it is determined by many of the members that themembers including PLC 100 b inslot 1 are mostly not replaced or changed. The model code-based verification result thus indicates a high degree of consistency. Based on the rule of majority vote, therefore,memory card 300 enablesPLC 100 b to access and restore the backup data. - The verification results obtained by the members are transmitted to the other members, so that the table illustrated in
FIG. 9 can be shared among all of the members. One of the members (for example, member that first acquired the verification results of the members) determines whether the verification results satisfy a predetermined condition. Specifically, the bits set by the members are added as illustrated inFIG. 9 , a result of which is then divided by the number of members to calculate an average value (%). Based on the calculated average values of the members, it is determined whether any device with an average value greater than 50% is among the members. In the illustrated example, none of the members has an average value greater than 50%. - In case three or more members have average values greater than 50%, i.e., three or more members are determined as being replaced or changed by the members having average values of 50% or more, the verification result is determined as indicating a low degree of consistency, disallowing data accesses. In case less than three members have average values greater than 50%, i.e., less than three members are determined as being replaced or changed by the members having average values of 50% or more, the verification result is determined as being acceptable.
- Insofar as the verification result is thus found acceptable,
memory card 300 enablesPLC 100 a to access the backup data. - In the example illustrated in
FIG. 8 in which the model codes are duplicated from the same line, the serial numbers of the units and PLC are changed. Supposing that the serial verification illustrated inFIGS. 5 and 6 is employed in the example ofFIG. 8 , it is determined by many of the members that the members including the PLC inslot 1 are mostly replaced or changed.Memory card 300, therefore, does not enable accesses by the PLC to the backup data. - In the verification using the model codes instead of the serial numbers unique to the devices, accesses to the backup data stored in
memory card 300 are enabled in regard to the members of the same model code having different serial numbers, as illustrated in the example ofFIGS. 8 and 9 . This may ensure a good balance between user-friendliness and better security in data accesses tomemory card 300. - (d2. Example of Model Verification for Unauthorized Data Accesses)
-
FIG. 10 is a diagram that schematically illustrates an exemplified model verification when data is unduly accessed incontrol system 1 according to the embodiments. - As for
PLC 100 inslot 1 illustrated in the example ofFIG. 10 , “A” as model code and “a” as serial number are assigned to this device incontrol system 1. As for unit 200-1 inslot 2 illustrated in this drawing, “B” as model code and “b” as serial number are assigned to this device. As for unit 200-2 inslot 3 illustrated in this drawing, “B” as model code and “c” as serial number are assigned to this device. As for unit 200-3 inslot 4 illustrated in this drawing, “C” as model code and “d” as serial number are assigned to this device. As for unit 200-4 inslot 5 illustrated in this drawing, “C” as model code and “e” as serial number are assigned to this device. Incontrol system 1 thus configured, the backup data ofPLC 100 is stored inmemory card 300. - It is assumed that, under such circumstances, data is restored in a control system 1 y including an unauthorized line built after
memory card 300 is stolen. For example,PLC 100 y ofslot 1,units 200 y-1 to 200 y-3 ofslots 2 to 5 are interconnected through a local bus 4y in a manner that these devices are allowed to communicate with one another. - As for
unit PLC 100 y inslot 1, “D” as model code and “k” as serial number are assigned to this device. As forunit 200 y-1 inslot 2 illustrated in this drawing, “E” as model code and “I” as serial number are assigned to this device. As forunit 200 y-2 inslot 3 illustrated in this drawing, “E” as model code and “m” as serial number are assigned to this device. As forunit 200 y-3 inslot 4 illustrated in this drawing, “F” as model code and “n” as serial number are assigned to this device.Slot 5 is empty with no unit. - When
memory card 300 is inserted inPLC 100 y to unduly restore the backup data ofPLC 100, the data inmemory card 300 is not accessible byPLC 100 y without the access authentication process unless a program required to run this process has been pre-installed in this device. This may prevent the risk of data leakage. - Supposing that the respective members are loaded with the program installed to run the access authentication process,
memory card 300,PLC 100 y andunits 200 y-1 to 200 y-3 carry out the access authentication process (model authentication). -
Memory card 300 obtains the model code “D” as identification data fromPLC 100 y inslot 1 and verifies the obtained model code against the model code “A” forslot 1 stored in itsown list 300L. Then,memory card 300 determines that the model codes are inconsistent.Memory card 300 obtains the model codes “E”, “E” and “F” as identification data fromunits 200 y ofslots 2 to 4 and verifies the obtained model codes against the model codes “B”, “B” and “C” forslots 2 to 4 stored in itsown list 300L. Then,memory card 300 determines that the model codes are inconsistent. The identification data is not obtainable fromslot 5 or verifiable against the model code “C” forslot 5 stored in itsown list 300L. Then,memory card 300 determines that the lack of consistency. Based on the verification result obtained bymemory card 300, the model codes are determined as inconsistent for all of theslots 1 to 5. - In the model verification employed in this embodiment, the model codes of and obtained from the members are verified against the model codes of the members stored in
list 300L ofmemory card 300, and the degree of consistency is determined as low when the number of members with their model codes being determined as consistent does not exceed a certain number (for example, three). In the example illustrated inFIG. 10 , the model code-based verification result thus indicates a low degree of consistency, therefore,memory card 300 does not enablePLC 100 y to access or restore the backup data. - <E. Example of Setting Screen in
Support Device 400> -
FIG. 11 is a diagram that schematically illustrates an exemplified setting screen ofsupport device 400 according to the embodiments. As illustrated inFIG. 11 ,support device 400 provides a user interface that allows users to input various settings for the access authentication process. - Specifically,
support device 400 has ascreen 450 which includes the following fields;user information 451 in which user information is settable,user authentication method 452 in which a user authentication method is settable,password 453 in which a password is settable, averification method 454 in which a verification method is settable,security level 455 in which a level of security is settable, andapplicable range 456 in which a range of applicable devices is settable. - A user inputs an account name of his/her own choice in the field of
user information 451 and is thus able to set the account name as his/her user information. The user can select and set a user authentication method of his/her own choice in the field ofuser authentication method 452. In the embodiments disclosed herein, face authentication or biometric authentication (for example, fingerprint authentication), though not illustrated in the drawings, may be selected instead of the password authentication. The user who selected the password authentication can input a password his/her own choice in the field ofpassword 453. - The user can select and set a verification method of his/her own choice in the field of
verification method 454. In the embodiments disclosed herein, the user is given a choice between the serial verification and the model verification. Thus,support device 400 according to the embodiments disclosed herein provides a user interface that allows users to select either one of the serial verification and the model verification. - Then, the user is allowed to select, using
support device 400, which one of the following is desirably verified; serial numbers used to individually identify the members, and model codes of the members. Thus, the control system may be successfully built in a suitable manner for a level of security required of the system. - Instead of requesting the user to select one of two options; the model verification and the serial verification,
support device 400 may offer the user such an option that both of the model and serial verifications are available. In this instance,control system 1 according to the embodiments disclosed herein may determine whether the devices are enabled to access the data inmemory card 300 using both of the model verification and the serial verification. - In the field of
security level 455, the user can set a level of security required ofcontrol system 1. Specifically, the user can set the number of devices, among all of the devices, subject to the serial verification or the model verification in the access authentication process. While all of the device should desirably be verified in view of security, the devices to be verified may be decreased in order to shorten processing time or lessen the workload of complex processes. In the embodiments disclosed herein, the number of devices to be verified may desirably be a total number of devices from which “1” has been subtracted. Thus,support device 400 according to the embodiments disclosed herein provides a user interface that allows users to set the number of devices to be verified. - Then, the user is allowed to select and set, using
support device 400, how many devices are desirably verified. Thus, the control system may be successfully built in a suitable manner for a level of security required of the system. - The user can set, in the field of
applicable range 456, a range of applicable members subject to the serial verification and/or the model verification in the access authentication process. In the embodiments disclosed herein, the user may select, as a range of applicable devices,PLC 100 and the devices connected toPLC 100 through thelocal bus 4, or may further select, in addition to these devices, tools likenetwork 2 andsupport device 400. Thus,support device 400 according to the embodiments disclosed herein provides a user interface that allows users to set the range of applicable devices. - Then, the user is allowed to set, using
support device 400, the range of applicable devices. Thus, the control system may be successfully built in a suitable manner for a level of security required of the system. - <F. Example of Access Authentication Process>
- An example of the access authentication process executed in
control system 1 according to the embodiments disclosed herein is hereinafter described referring toFIGS. 12 and 13 . - (f1. Example of Access Authentication Process Using Serial Verification)
-
FIG. 12 is a sequence diagram that illustrates an exemplified access authentication process using the serial verification executed incontrol system 1 according to the embodiments disclosed herein. InFIG. 12 is illustrated the access authentication process (serial verification) in the example ofFIGS. 5 and 6 . Specifically, this drawing illustrates the data restoration afterPLC 100 with the serial number of “a” is replaced withPLC 100 a with the serial number of “f” inslot 1. - Though not illustrated in the drawing, when
memory card 300 is inserted inPLC 100 a ofslot 1 and a predetermined switch is turned on, the user is requested to input his/her user data on the screen ofsupport device 400. When a user inputs, as user data, his/her user information (for example, account name) and password,support device 400 transmits the user data toPLC 100 a ofslot 1,memory card 300 andunits 200 ofslots 2 to 5, as illustrated inFIG. 12 (steps 1), 2), 3)). -
PLC 100 a ofslot 1 verifiesuser data 1160 retained by itself against the user data obtained fromsupport device 400. When these two pieces of user data obtained from the different sources are consistent with each other,PLC 100 atransmits certificate data 1170 retained by itself tounits 200 ofslots 2 to 5 (step 4)).PLC 100 a ofslot 1 does not transmitcertificate data 1170 unless the user data is authenticated. - When
units 200 ofslots 2 to 5 determine thatPLC 100 a is a genuine product supplied by the original manufacturer based oncertificate data 1170, theseunits 200 transmit, toPLC 100 a, authentication data indicating thatPLC 100 a has been authenticated (step 5)).Units 200 ofslots 2 to 5 do not transmit the authentication data toPLC 100 a unlessPLC 100 a is determined as being a genuine product supplied by the original manufacturer. -
Units 200 ofslots 2 to 5 verifyuser data 2160 retained by themselves against the user data obtained fromsupport device 400. When these two pieces of user data obtained from the different sources are consistent with each other,units 200 transmitcertificate data 2170 retained by themselves toPLC 100 a of slot 1 (step 6)).Units 200 ofslots 2 to 5 do not transmitcertificate data 2170 unless the user data is authenticated. -
Memory card 300 verifiesuser data 1360 retained by itself against the user data obtained fromsupport device 400. When these two pieces of user data obtained from the different sources are consistent with each other,memory card 300 transmitscertificate data 1370 retained by itself toPLC 100 a of slot 1 (step 7)).Memory card 300 does not transmitcertificate data 1370 unless the user data is authenticated. - When
PLC 100 a ofslot 1 determines thatunits 200 ofslots 2 to 5 are genuine products supplied by the original manufacturers based oncertificate data 2170,PLC 100 a transmits, tounits 200, authentication data indicating thatunits 200 have been authenticated (step 8)).PLC 100 a ofslot 1 does not transmit the authentication data unlessunits 200 ofslots 2 to 5 are determined as being genuine products supplied by the original manufacturers. - When
PLC 100 a ofslot 1 determines thatmemory card 300 is a genuine product supplied by the original manufacturer based oncertificate data 1370,PLC 100 a transmits, tomemory card 300, authentication data indicating thatmemory card 300 has been authenticated (step 9)).PLC 100 a ofslot 1 does not transmit the authentication data unlessmemory card 300 is determined as being a genuine product supplied by the original manufacturer. - When the processes in steps 1) to 9) are all completed,
PLC 100 a inslot 1 has been authenticated byunits 200 inslots 2 to 5,units 200 inslots 2 to 5 have been authenticated byPLC 100 a inslot 1, andmemory card 300 has been authenticated byPLC 100 a inslot 1. - For the serial verification,
PLC 100 a inslot 1 thereafter transmits identification data 1180 (serial number “1”) retained by itself tounits 200 inslots 2 to 5 (step 10)). For the serial verification,PLC 100 a inslot 1 thereafter transmits identification data 1180 (serial number “f”) retained by itself to memory card 300 (step 11)). - For the serial verification,
units 200 inslots 2 to 5 thereafter transmit identification data 2180 (serial numbers “b”, “c”, “d” and “e”) retained by themselves to memory card 300 (step 12)). For the serial verification,memory card 300 thereafter transmits identification data 1380 (serial number “y”) retained by itself tounits 200 inslots 2 to 5 (step 13)). For the serial verification,units 200 inslots 2 to 5 thereafter transmitidentification data 2180 retained by themselves to the other units 200 (step 14)). - As a result of the processes in steps 10) to 14),
memory card 300,PLC 100 a inslot 1 andunits 200 inslots 2 to 5 obtain the pieces of identification data of the members (serial numbers). - Then,
memory card 300,PLC 100 a inslot 1 andunits 200 inslots 2 to 5 verify the obtained identification data (serial numbers) of the members against the serial numbers of the members stored in the lists retained by themselves (step 15)). - As described referring to the examples of
FIGS. 5 and 6 , when the degree of consistency in the serial number-based verification result is determined as high by one of the members (for example, member that first acquired the verification results of the members),memory card 300 enablesPLC 100 a to access the backup data and transmits the backup data toPLC 100 a in slot 1 (step 16)). - Then, the members update their own lists based on the pieces of identification data (serial numbers) obtained from the other members (step 17)). The lists retained by the members are thus updated into the latest data.
- After that,
PLC 100 a ofslot 1 restores the data based on the backup data obtained from memory card 300 (step 18)). - In the example illustrated in
FIG. 12 , the backup data is transmitted frommemory card 300 toPLC 100 a ofslot 1 when the degree of consistency in the model verification result is determined as high. Instead, the backup data may be transmitted frommemory card 300 toPLC 100 a ofslot 1 afterPLC 100 a,memory card 300 andunits 200 are mutually authenticated. In this instance,PLC 100 a ofslot 1 may be prohibited from restoring the data unless the degree of consistency in the model verification result is determined as high. - When
memory card 300 is received byPLC 100 a, accesses to the backup data stored inmemory card 300 are enabled only when the degree of consistency is determined as high among the members in the serial number verification results obtained by any members butPLC 100 a. This may ensure a higher level of security without compromising user-friendliness in accesses to the data stored inremovable memory card 300. - In addition to the risk of being stolen,
memory card 300 may possibly be accidentally inserted in any system differently configured. In such an event, the data inmemory card 300 becomes inaccessible from any device unless such accesses are authorized as a result of the access authentication process (serial verification) described earlier. This may prevent undue data accesses even ifmemory card 300 is inserted in wrong systems. - (f2. Example of Access Authentication Process Using Model Verification)
-
FIG. 13 is a sequence diagram that illustrates an exemplified access authentication process using the model verification executed incontrol system 1 according to the embodiments. InFIG. 13 is illustrated the access authentication process (model verification) in the example ofFIGS. 8 and 9 . This drawing illustrates an example of restoration after a line configured similarly to that ofcontrol system 1 is duplicated. - Though not illustrated in the drawing, when
memory card 300 is inserted inPLC 100 b ofslot 1 and a predetermined switch is turned on, the user is requested to input his/her user data on the screen ofsupport device 400. When a user inputs, as user data, his/her user information (for example, account name) and password,support device 400 transmits the user data tomemory card 300, as illustrated inFIG. 13 (step (1)). -
Memory card 300 verifiesuser data 1360 retained by itself against the user data obtained fromsupport device 400. When these two pieces of user data obtained from the different sources are consistent with each other,memory card 300 transmitscertificate data 1370 retained by itself toPLC 100 b of slot 1 (step 2)).Memory card 300 does not transmitcertificate data 1370 unless the user data is authenticated. - When
PLC 100 b ofslot 1 determines thatmemory card 300 is a genuine product supplied by the original manufacturer based oncertificate data 1370,PLC 100 b transmits, tomemory card 300, authentication data indicating thatmemory card 300 has been authenticated (step 3)).PLC 100 ofslot 1 does not transmit the authentication data unlessmemory card 300 is determined as being a genuine product supplied by the original manufacturer. -
PLC 100 b ofslot 1 verifiesuser data 1160 retained by itself against the user data obtained fromsupport device 400. When these two pieces of user data obtained from the different sources are consistent with each other,PLC 100 b transmitscertificate data 1170 retained by itself tomemory card 300 of slot 1 (step 4)).PLC 100 b ofslot 1 does not transmitcertificate data 1170 unless the user data is authenticated. - When
memory card 300 determines thatPLC 100 b ofslot 1 is a genuine product supplied by the original manufacturer based oncertificate data 1170,memory card 300 transmits, toPLC 100 b, authentication data indicating thatPLC 100 b has been authenticated (step 5)).Memory card 300 does not transmit the authentication data unlessPLC 100 b ofslot 1 is determined as being a genuine product supplied by the original manufacturer. - When the processes in steps 1) to 5) are all completed,
memory card 300 has been authenticated byPLC 100 b inslot 1, andPLC 100 b inslot 1 has been authenticated bymemory card 300. - For the model verification,
PLC 100 b inslot 1 thereafter transmits identification data 1180 (model code “A”) retained by itself tounits 200 b inslots 2 to 5 (step 6)). For the model verification,PLC 100 b inslot 1 thereafter transmits identification data 1180 (model code “A”) retained by itself to memory card 300 (step 7)). - For the model verification,
units 200 b inslots 2 to 5 thereafter transmit identification data 2180 (model codes “B”, “B”, “C” and “C”) retained by themselves to memory card 300 (step 8)). For the model verification,memory card 300 thereafter transmits identification data 1380 (model code “X”) retained by itself tounits 200 b inslots 2 to 5 (step 9)). For the model verification,units 200 b inslots 2 to 5 thereafter transmitidentification data 2180 retained by themselves to theother units 200 b (step 10)). - As a result of the processes in steps 6) to 10),
memory card 300,PLC 100 b inslot 1 andunits 200 b inslots 2 to 5 obtain the pieces of identification data of the members (model codes). - After that,
memory card 300,PLC 100 b inslot 1 andunits 200 b inslots 2 to 5 verify the pieces of identification data (model codes) obtained from the members against the model codes of the members stored in the lists retained by themselves (step 11)). - As described referring to the examples of
FIGS. 8 and 9 , when the degree of consistency in the model code-based verification result is determined as high by one of the members (for example, member that first acquired the verification results of the members),memory card 300 enablesPLC 100 b to access the backup data and transmits the backup data toPLC 100 b in slot 1 (step 12)). - After that,
PLC 100 b ofslot 1 restores the data based on the backup data obtained from memory card 300 (step 13)). - In the example illustrated in
FIG. 13 , the backup data is transmitted frommemory card 300 toPLC 100 b ofslot 1 when the degree of consistency in the model verification result is determined as high. Instead, the backup data may be transmitted frommemory card 300 toPLC 100 b ofslot 1 afterPLC 100 b andmemory card 300 are mutually authenticated. In this instance,PLC 100 b ofslot 1 may be prohibited from restoring the data unless the degree of consistency in the model verification result is determined as high. - When
memory card 300 is received byPLC 100 b, accesses to the backup data stored inmemory card 300 are enabled only when the degree of consistency is determined as high among the members in the model code verification results obtained by any members butPLC 100 b. This may ensure a higher level of security without compromising user-friendliness in accesses to the data stored inremovable memory card 300. - Further advantageously, accesses to the backup data stored in
memory card 300 are enabled in regard to the members of the same model code having different serial numbers. This may ensure a good balance between user-friendliness and better security in data accesses to removable storage media. - In addition to the risk of being stolen,
memory card 300 may possibly be accidentally inserted in any system differently configured. In such an event, the data inmemory card 300 becomes inaccessible from any device unless such accesses are authorized as a result of the access authentication process (model verification) described earlier. This may prevent undue data accesses even ifmemory card 300 is inserted in wrong systems. - <G. Supplementary Note>
- As described thus far, the embodiments include the following technical aspects disclosed herein.
- [Aspect 1]
- A control system (1) is configured to control access to data in a device group, the device group includes a plurality of devices (100, 200-1 to 200-4), and the plurality of devices are configured to communicate with one another.
- The control system is equipped with:
- a first device (100) included in the plurality of devices and configured to receive, in a removable manner, a storage medium (300) in which data is storable; and
- one or a plurality of second devices (200-1 to 200-4) included in the plurality of devices.
- The control system (1) is further characterized in that,
- each of members of the plurality of devices and the storage medium include:
-
- a storage region (1332, 1132, 2162) configured to retain a list (300L, 100L, 200-1L to 200-4L) containing relevant information associated with each of the members; and
- a verifying unit (step 15) of
FIG. 12 , step 11) ofFIG. 13 ) configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members, and
- the first device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the first device satisfies a predetermined condition.
- [Aspect 2]
- In the control system (1) according to
aspect 1, the first device includes a reader (1130) including a concealed logic for exclusive use, and - the storage medium is configured to permit access from the reader alone.
- [Aspect 3]
- In the control system (1) according to
aspect - the verifying unit verifies the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members.
- [Aspect 4]
- In the control system (1) according to
aspect - the verifying unit verifies model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members.
- [Aspect 5]
- The control system (1) according to
aspect - the relevant information includes a serial number used to individually identify each of the members and a model code of each of the members,
- the verifying unit includes:
-
- a first verifying unit(step 15) of
FIG. 12 ) configured to verify the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members; and - a second verifying unit(step 11) of
FIG. 13 ) configured to verify the model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members, and
- a first verifying unit(step 15) of
- the support device provides a user interface (454) configured to select the first verifying unit or the second verifying unit.
- [Aspect 6]
- The control system (1) according to one of
aspects 1 to 5 further includes a support device (400) configured to support the device group and is further characterized in that, - the support device provides a user interface (455) configured to set a number of any members included in the members but the first device to be verified by the verifying unit.
- [Aspect 7]
- The control system (1) according to one of
aspects 1 to 6 further includes a support device (400) configured to support the device group and is further characterized in that, - the support device provides a user interface (456) configured to set a range of applicable members among the members.
- [Aspect 8]
- A method (
FIGS. 12 and 13 ) is provided for controlling access to data in a device group, the device group includes a plurality of devices (100, 200-1 to 200-4), and the plurality of devices are configured to communicate with one another. - The plurality of devices include:
- a first device (100) configured to receive, in a removable manner, a storage medium (300) in which data is storable; and
- one or a plurality of second devices (200-1 to 200-4).
- Each of members of the plurality of devices and the storage medium includes a storage region (1332, 1132, 2162) configured to retain a list (300L, 100L, 200-1L to 200-4L) containing relevant information associated with each of the members.
- The method includes:
- prompting each of the members to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information off each of the other members obtained from each of the other members (step 15) of
FIG. 12 , step 11) ofFIG. 13 ), and - enabling the first device to access the data stored in the storage medium when a result of verification obtained by each of the other members but the first device satisfies a predetermined condition (step 16) of
FIG. 12 , step 12) ofFIG. 13 ). - [Aspect 9]
- A control device (100) is included in a device group, the device group has a plurality of devices (100, 200-1 to 200-4), and the plurality of devices are configured to communicate with one another.
- The control device is configured to control access to data and includes a receiving portion (103) configured to receive, in a removable manner, a storage medium (300) in which data is storable.
- The control device (100) is further characterized in that,
- each of members of the plurality of devices and the storage medium includes:
-
- a storage region (1332, 1132, 2162) configured to retain a list (300L, 100L, 200-1L to 200-4L) containing relevant information associated with each of the members; and
- a verifying unit(step 15) of
FIG. 12 , step 11) ofFIG. 13 ) configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from the other members, and
- the control device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the control device satisfies a predetermined condition.
- <H. Advantages>
- In
control system 1 according to the embodiments disclosed herein, whenmemory card 300 is received byPLC 100, it is not until results of the relevant information verified byunits 200 other thanPLC 100 satisfy a predetermined condition that the data stored inmemory card 300 becomes accessible. This may ensure a higher level of security without compromising user-friendliness in accesses to the data stored inremovable memory card 300. - The embodiments disclosed herein are given by way of example in all aspects and should not be construed as limiting the scope of this disclosure. The scope of this disclosure is solely defined by the appended claims and is intended to cover the claims, equivalents, and all of possible modifications made without departing the scope of this disclosure.
- 1: control system, 200: unit, 2: network, 4: local bus, 1001, 2001, 3001: list, 102, 402, 1131, 2161: processor, 103, 113: memory card interface, 104, 404: main memory, 105: USB connector, 106, 406, 1132, 2162: storage, 108, 416: network controller, 130, 418: processor bus, 140: control program, 210: function module, 220: local bus controller, 300: memory card, 400: support device, 408: input unit, 410: display unit, 412: optical drive, 414: recording medium, 450: screen, 451: field of user information, 452: field of user authentication method, 453: field of password, 454: field of verification method, 455: field of security level, 456: field of applicable range, 1060: system program, 1065, 2150: restoration program, 1130, 2130: security unit, 1133, 2163: memory, 1134, 1135: IO module, 1136: memory card controller, 1150: read program, 1160, 1360, 2160: user data, 1170, 1370, 2170, 3170: certificate data, 1180, 1380, 2180: identification data, 1331: data area, 1332: secure area, 1335: data, 1336: security controller, 4062: support program
Claims (9)
1. A control system configured to control access to data in a device group, the device group comprising a plurality of devices, the plurality of devices being configured to communicate with one another, the control system comprising:
a first device included in the plurality of devices and configured to receive, in a removable manner, a storage medium in which data is storable; and
one or a plurality of second devices included in the plurality of devices,
each of members of the plurality of devices and the storage medium comprising:
a storage region configured to retain a list including relevant information associated with each of the members; and
a verifying unit configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members, wherein
the first device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the first device satisfies a predetermined condition.
2. The control system according to claim 1 , wherein
the first device comprises a reader including a concealed logic for exclusive use, and
the storage medium is configured to permit access from the reader alone.
3. The control system according to claim 1 , wherein
the relevant information includes a serial number for identification of each of the members, and
the verifying unit verifies the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members.
4. The control system according to claim 1 , wherein
the relevant information includes a model code of each of the members, and
the verifying unit verifies the model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members.
5. The control system according to claims 1 , further comprising a support device configured to support the device group, wherein
the relevant information includes a serial number used to individually identify each of the members and a model code of each of the members,
the verifying unit comprises:
a first verifying unit configured to verify the serial number of each of the other members included in the list retained in the storage region against the serial number of each of the other members obtained from each of the other members; and
a second verifying unit configured to verify the model code of each of the other members included in the list retained in the storage region against the model code of each of the other members obtained from each of the other members, and
the support device provides a user interface configured to select the first verifying unit or the second verifying unit.
6. The control system according to one of claims 1 , further comprising a support device configured to support the device group, wherein
the support device provides a user interface configured to set a number of any members included in the members but the first device to be verified by the verifying unit.
7. The control system according to one of claims 1 , further comprising a support device configured to support the device group, wherein
the support device provides a user interface configured to set a range of applicable members among the members.
8. A method for controlling access to data in a device group, the device group comprising a plurality of devices, the plurality of devices being configured to communicate with one another, the plurality of devices comprising:
a first device configured to receive, in a removable manner, a storage medium in which data is storable; and
one or a plurality of second devices,
each of members of the plurality of devices and the storage medium comprising a storage region configured to retain a list including relevant information associated with each of the members,
the method comprising:
prompting each of the members to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members, and
enabling the first device to access the data stored in the storage medium when a result of verification obtained by each of the other members but the first device satisfies a predetermined condition.
9. A control device included in a device group, the device group comprising a plurality of devices, the plurality of devices being configured to communicate with one another,
the control device being configured to control access to data and comprising a receiving portion configured to receive, in a removable manner, a storage medium in which data is storable,
each of members of the plurality of devices and the storage medium comprising:
a storage region configured to retain a list including relevant information associated with each of the members; and
a verifying unit configured to verify the relevant information of each of other members included in the list retained in the storage region against the relevant information of each of the other members obtained from each of the other members, wherein
the control device is configured to access the data stored in the storage medium when a result of verification obtained by the verifying unit of each of the other members but the control device satisfies a predetermined condition.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2019046799A JP2020149404A (en) | 2019-03-14 | 2019-03-14 | System, method and device for control |
JP2019-046799 | 2019-03-14 | ||
PCT/JP2020/005276 WO2020184036A1 (en) | 2019-03-14 | 2020-02-12 | Control system, control method, and control device |
Publications (1)
Publication Number | Publication Date |
---|---|
US20220164464A1 true US20220164464A1 (en) | 2022-05-26 |
Family
ID=72426378
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/434,189 Pending US20220164464A1 (en) | 2019-03-14 | 2020-02-12 | Control system, method, and control device |
Country Status (5)
Country | Link |
---|---|
US (1) | US20220164464A1 (en) |
EP (1) | EP3940470A4 (en) |
JP (1) | JP2020149404A (en) |
CN (1) | CN113518951A (en) |
WO (1) | WO2020184036A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20230308439A1 (en) * | 2022-03-22 | 2023-09-28 | Cisco Technology, Inc. | Distributed hierarchical authentication of system component identities |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030018804A1 (en) * | 2001-03-28 | 2003-01-23 | Amruth Laxman | Method and apparatus for deriving a standard MAC address from physical location |
US20110264688A1 (en) * | 2010-04-26 | 2011-10-27 | International Business Machines Corporation | Peer to peer (p2p) data licensing model in a distributed abstract query environment |
US20120331526A1 (en) * | 2011-06-22 | 2012-12-27 | TerraWi, Inc. | Multi-level, hash-based device integrity checks |
US20140143605A1 (en) * | 2012-11-16 | 2014-05-22 | Tata Consultancy Services Limited | System and method for validating configuration settings |
US20180121909A1 (en) * | 2016-10-28 | 2018-05-03 | International Business Machines Corporation | System and method to dynamically setup a private sub-blockchain based on agility of transaction processing |
US20180212970A1 (en) * | 2017-01-20 | 2018-07-26 | Verizon Patent And Licensing Inc. | Distributed authentication for internet-of-things resources |
US20220058259A1 (en) * | 2019-01-07 | 2022-02-24 | Nec Corporation | Information processing device, verification system, and information processing method |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3389186B2 (en) * | 1999-04-27 | 2003-03-24 | 松下電器産業株式会社 | Semiconductor memory card and reading device |
JP2002099344A (en) * | 2000-07-14 | 2002-04-05 | Mitsubishi Electric Corp | Method and device for detecting illegal copy of program, storage medium for application program, and storage medium for unit for dealing with network protocol |
JP3548829B2 (en) * | 2002-01-10 | 2004-07-28 | オムロン株式会社 | Unit, PLC and User Program Processing Method |
WO2004084075A1 (en) * | 2003-03-18 | 2004-09-30 | Fujitsu Limited | Information access control method, access control program, and external recording medium |
JP4582399B2 (en) * | 2004-10-04 | 2010-11-17 | 横河電機株式会社 | PLC configuration module save means |
EP2038800A2 (en) * | 2006-07-07 | 2009-03-25 | Sandisk Corporation | System and method for controlling information supplied from memory device |
JP2011215814A (en) | 2010-03-31 | 2011-10-27 | Keyence Corp | Programmable controller, setting value backup restoration system and setting value backup restoration unit |
JP6167532B2 (en) * | 2013-01-25 | 2017-07-26 | オムロン株式会社 | Control device and operation method of control device |
JP6225065B2 (en) * | 2014-04-18 | 2017-11-01 | 日本電信電話株式会社 | Device management device |
-
2019
- 2019-03-14 JP JP2019046799A patent/JP2020149404A/en active Pending
-
2020
- 2020-02-12 WO PCT/JP2020/005276 patent/WO2020184036A1/en active Application Filing
- 2020-02-12 EP EP20769699.8A patent/EP3940470A4/en active Pending
- 2020-02-12 US US17/434,189 patent/US20220164464A1/en active Pending
- 2020-02-12 CN CN202080017752.2A patent/CN113518951A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030018804A1 (en) * | 2001-03-28 | 2003-01-23 | Amruth Laxman | Method and apparatus for deriving a standard MAC address from physical location |
US20110264688A1 (en) * | 2010-04-26 | 2011-10-27 | International Business Machines Corporation | Peer to peer (p2p) data licensing model in a distributed abstract query environment |
US20120331526A1 (en) * | 2011-06-22 | 2012-12-27 | TerraWi, Inc. | Multi-level, hash-based device integrity checks |
US20140143605A1 (en) * | 2012-11-16 | 2014-05-22 | Tata Consultancy Services Limited | System and method for validating configuration settings |
US20180121909A1 (en) * | 2016-10-28 | 2018-05-03 | International Business Machines Corporation | System and method to dynamically setup a private sub-blockchain based on agility of transaction processing |
US20180212970A1 (en) * | 2017-01-20 | 2018-07-26 | Verizon Patent And Licensing Inc. | Distributed authentication for internet-of-things resources |
US20220058259A1 (en) * | 2019-01-07 | 2022-02-24 | Nec Corporation | Information processing device, verification system, and information processing method |
Also Published As
Publication number | Publication date |
---|---|
CN113518951A (en) | 2021-10-19 |
WO2020184036A1 (en) | 2020-09-17 |
JP2020149404A (en) | 2020-09-17 |
EP3940470A4 (en) | 2022-11-23 |
EP3940470A1 (en) | 2022-01-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11843705B2 (en) | Dynamic certificate management as part of a distributed authentication system | |
US10318736B2 (en) | Validating operating firmware of a periperhal device | |
CN109313690A (en) | Self-contained encryption boot policy verifying | |
KR102358470B1 (en) | Boot loader update firmware, method for updating boot loader | |
US11120151B1 (en) | Systems and methods for unlocking self-encrypting data storage devices | |
EP2989547B1 (en) | Repairing compromised system data in a non-volatile memory | |
EP2876554B1 (en) | Method and apparatus for secure distribution of embedded firmware | |
CN102449631A (en) | System and method for performing a management operation | |
EP1754126A1 (en) | Enhancing trusted platform module performance | |
US20240094925A1 (en) | Methods for restricting read access to supply chips | |
US20220164464A1 (en) | Control system, method, and control device | |
BR112016019052B1 (en) | METHOD TO AUTHORIZE A DEVICE THROUGH A MESSAGE AND SECOND DEVICE TO AUTHORIZE A DEVICE THROUGH A MESSAGE | |
CN109753453A (en) | A kind of trusted system of storage isolation | |
RU2633098C1 (en) | Computer system with remote control by server and device for creating trusted environment and method for implementation of remote control | |
CN107315962A (en) | A kind of trusted processing module of embedded platform | |
JP7073733B2 (en) | Control device, data writing method and program | |
KR101390677B1 (en) | Method of managing copies of embedded software, and computer-readable recording medium with copy-management program for the same | |
CN103198031A (en) | Information processing apparatus and method for releasing restriction on use of storage device | |
US11843707B2 (en) | Systems and methods for authenticating hardware of an information handling system | |
US9633229B2 (en) | Semiconductor device module, license setting method and medium having license setting program recorded therein | |
US10657268B2 (en) | Information processing apparatus, information processing method, and non-transitory computer readable medium to verify validity of backup data | |
CN117436103A (en) | Access control method, device, electronic equipment and storage medium | |
JP6138636B2 (en) | Programmable controllers, programming devices, and systems thereof | |
CN115885281A (en) | Method and secure element for certifying a trusted electronic component | |
CN117494197A (en) | Authorized use method and device for electronic controller after file loading |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: OMRON CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KAWAI, KO;REEL/FRAME:058889/0572 Effective date: 20210906 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |